Category Archives: Cybersecurity & Cybercrime

HHS OCR/ONC Announce Latest Version of Security Risk Assessment Tool

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment (SRA) Tool.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI.… More

Biden Administration Publishes the National Cybersecurity Strategy Implementation Plan

On July 13, 2023, the Biden Administration released its National Cybersecurity Strategy Implementation Plan (NCSIP) with the goal of providng transparency and coordination for its existing goals. The NCSIP details more than 65 Federal initiatives (some completed, some ongoing, others planned for the future). Each NCSIP initiative is assigned to a responsible agency and has a timeline for completion.

There are five major “pillars” to the NCSIP:

  • Defending Critical Infrastructure
  • Disrupting and Dismantling Threat Actors
  • Shaping Market Forces and Driving Security and Resilience
  • Investing in a Resilient Future
  • Forging International Partnerships to Pursue Shared Goals

Some NCSIP initiatives,… More

Cyberattacks on the Energy Sector Continue to Rise

Cyberattacks on the energy sector have been rapidly growing since 2017, and we saw an all-time high of cyberattack events on the sector in 2022. The energy sector is particularly vulnerable due to these types of attacks due to the outdated and unsecured networks oftentimes used in the industry, as well as the increased use of distributed energy resources (“DER”), which creates more openings to attack and requires more resources to monitor and manage.… More

If Your Password Is On This List, It’s Time to Change It

It’s been several years since I have written about password hygeine. I have been hoping that a better security solution would be widely adopted and while I hear rumors in that regard, passwords still reign supreme.  So when I saw that the SafetyDetectives website had listed the 30 most common passwords, it seemed like a good time to revisit the topic.  Their study found that “123456” and “password”… More

CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force

On May 23, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions,… More

As If Bank Failures Aren’t Enough – Hackers Are Exploiting the Chaos to Breach Security

The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant.  As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More

Physical and Cyber-Attacks on Energy Infrastructure Expected to Continue

Over the past several years, the energy sector has become a prime target for hacking and ransomware attacks, with over 40 attacks on the industry since 2017.  Cyber attacks have only continued to rise, with a record high of 13 reported attacks in one year occurring in 2022.

Physical Security Threats to U.S. Energy Infrastructure

A new type of threat against the energy sector crystallized at the end of 2022: physical attacks on the grid. … More

Lex Mundi Reports on Global Trends in Data Privacy in 2023

Foley Hoag is pleased to contribute to Lex Mundi’s report on global data privacy trends and topics.  Our Lex Mundi network gives us access to the best attorneys in data privacy in jurisdictions across the globe, who provide local expertise on anticipated regulatory risks to overcome related to cross-border data and cybersecurity challenges. To access the full report, click here. More

Massachusetts Governor Issues Executive Order to Strengthen State’s Cyber Defenses

Governor Charlie Baker recently took steps to strengthen cybersecurity in Massachusetts by signing an executive order on December 14, 2022 creating an advisory panel to improve the state’s cyber defense. The new state task force will assess existing resources, develop contingency plans, and identify strategies for preventing future cyberattacks.  The goal of the task force is to ensure that the Bay State is at the forefront of the ever-evolving cybersecurity landscape.… More

How to Prevent and Respond to Business Email Compromises

Foley Hoag presented a discussion and Q&A regarding the growing threat of business email compromises (a.k.a. man-in-the-middle attacks). Attorneys Chris Hart and Yoni Bard, litigators with experience in privacy matters and business disputes, shared what they have learned through successfully representing victims of hacking and phishing attacks that have led companies to misdirect payments to unknown criminal actors. They discussed strategies for preventing these attacks and, if they occur, maximizing the likelihood of recovery through rapid response strategies (involving law enforcement and banks),… More

CISA, FBI, and DOE Release Joint Cybersecurity Advisory in Light of Increased Threats to Energy Sector’s Cybersecurity

On March 24, 2022, the Department of Justice unsealed two indictments charging four Russian government employees in two hacking campaigns that targeted critical infrastructure in the energy sector.  We cover these indictments in depth here.  Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) jointly published a Cybersecurity Advisory (CSA) relating to the hacks.… More

US, UK, Australia, Canada and New Zealand Issue Advisory on Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.

Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,… More

Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure (i.e., Dealing with the Fallout from Russia’s Invasion of Ukraine)

The Cybersecurity & Infrastructure Security Agency (“CISA”) has just released CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides proactive steps organizations can take to assess and mitigate risks from information manipulation. Malicious actors (i.e., Russia) may use tactics—such as misinformation, disinformation, and malinformation—to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors. … More

CISA on Russia, Ukraine and Ransomware

According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA“), the potential hostilities between Russia and Ukraine are likely to spill over into cyber warfare.  In this month’s CISA Insights:

Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies,… More

Biden Administration Focus on Cybercrime Continues with Israeli Companies Added to Entity List, New Export Controls, and Cryptocurrency Sanctions

On November 3, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) added two Israeli entities to the Entity List due to malicious cyber activities. In its press release, BIS stated that the designation of Israeli companies NSO Group and Candiru was based on evidence that these entities developed and supplied spyware to foreign governments, which was then used for malicious surveillance,… More

DOJ Announces New Cyber-Fraud Initiative Promoting False Claims Act Enforcement Against Contractors and Grantees Failing to Follow Cybersecurity Standards

As we anticipated last spring, the Department of Justice (DOJ) has signaled that it will utilize civil enforcement of the False Claims Act (FCA) to address new and emerging cybersecurity threats. On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of a new cyber-fraud initiative led by the Fraud Section of DOJ’s Commercial Litigation Branch. The new initiative will focus FCA enforcement against federal government contractors or grant recipients who fail to follow required cybersecurity standards.… More

Ransomware Payments – OFAC Updates its Advisory and Congress Gets Involved

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

Ransomware Payments – OFAC Updates its Advisory and Congress Gets Involved

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

Biden Issues Memorandum Aimed at Improving Cybersecurity

On July 28, 2021, President Biden issued a Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  The Memo recognizes that the protection of the nation’s critical infrastructure lies not only with government, i.e., at the federal, state, local, tribal, and territorial levels, but with critical infrastructure owners and operators.  In addition, the Memo states that cybersecurity threats to critical infrastructure, and the systems that control and operate it,… More

Kaseya VSA Cyberattack: What Kaseya and the Feds Are Saying

If you aren’t following the ransomware attack on Kaseya’s VSA product and approximately 800-1500 of its users, you should be.  Like many cyberattacks, this one came on the verge of a holiday weekend.  As the company itself notes, “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only. … More

In Van Buren v. U.S., Supreme Court Clarifies Scope of CFAA, the Federal Anti-Hacking Statute

In Van Buren v. United States, the Supreme Court has issued its first ever opinion interpreting the Computer Fraud and Abuse Act.  The CFAA, originally conceived as an anti-hacking statute, broadly prohibits, and imposes civil and criminal penalties for, accessing computers or computer systems “without authorization” or in a way that “exceeds authorized access.”  18 U. S. C. §1030(a)(2).  The question before the Court was how far CFAA liability extends under that latter clause—“exceeds authorized access.”  Does it apply merely to those allowed to obtain information from some parts of computer systems but not others? … More

U.S. Department of Homeland Security Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators

On May 27, 2021, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector.  (And for those in other business sectors, this is a potential preview of cybersecurity regulation to come.)

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N.… More

President Biden Signs Executive Order to Improve Cybersecurity and Protect Federal Government Networks

On May 12, 2021, President Biden signed an Executive Order which is aimed at improving the nation’s cybersecurity and protecting federal government networks.  The Executive Order has been in the works for some time, but the timing of its release is a response to the Colonial Pipeline ransomware attack.

According to the Fact Sheet issued by the White House, this Executive Order will:

  • Remove barriers to threat information sharing between government and the private sector
  • Modernize and implement stronger cybersecurity standards in the Federal Government
  • Improve software supply chain security
  • Establish a Cybersecurity Safety Review Board
  • Create a standard playbook for responding to cyber incidents
  • Improve detection of cybersecurity incidents on Federal Government networks
  • Improve investigative and remediation capabilities

The overall impact of the Executive Order is limited,… More

CISA Issues Ransomware Alert for Activity Targeting the Healthcare and Public Health Sectors

On October 28, 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sectors to infect their systems with Ryuk ransomware for financial gain.

CISA,… More

Department of Homeland Security Releases Homeland Threat Assessment

On October 6, 2020, the Department of Homeland Security (“DHS”) released a 2020 Homeland Threat Assessment (“HTA”).  According to Acting Secretary Chad F. Wolf, the “first of its kind report” identifies the primary threats facing the nation and analyzes the vast array of information coming from all DHS operational components that crosses his desk on a daily basis.  “When the American people read this HTA they will be more aware of the traditional threats facing the Homeland like terrorism and organized crime.  … More

Is Paying Ransomware Grounds for OFAC Sanctions? OFAC Says “Maybe”….

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.  In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….”  While this is an advisory and does not have the force of law,… More

The Equifax/Massachusetts Attorney General Consent Judgment: A Guide for Privacy and Security Compliance

What do businesses need to do to comply with privacy and data security laws?  The first place to look is to relevant statutes.  If you store or process the personal information of Massachusetts residents, then you will at least be subject to the Massachusetts Data Breach Notification Statute and related security regulations.  These are important guides that require certain operational activities, such as maintaining a written information security program,… More

Beware of COVID-19-Based Cyber Attacks, Say US and UK Agencies

Malicious cyber actors have been exploiting the COVID-19 crisis, warn the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) in a joint release issued April 8. Bad actors have done so in two main ways: first, by grafting COVID-19-related themes onto standard cyberattack practices; second, by exploiting vulnerabilities in services that have seen increased use since the pandemic began.… More

FBI Warns of Teleconferencing and Online Classroom Hijacking

If you are among the many people turning to video-teleconferencing (VTC) to stay connected during the COVID-19 pandemic, you need to protect yourself from “Zoom-bombing” – the entrance of uninvited individuals into your VTC.  The FBI has received multiple reports of conferences being disrupted by offensive images and/or threatening language.

The FBI recommends the following steps to mitigate VTC hijacking threats:

  • Do not make meetings or classrooms public:
    • In Zoom,…
  • More

March 13, 2020 Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency Briefing on Covid-19 and Data Security

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) just completed a stakeholder security briefing.  This was recorded and should soon be available on the CISA website, but in the interim, some key takeaways are:

  • We are in the “initiation phase” of the pandemic, meaning the worst is yet to come (the “acceleration phase”).
  • Covid-19 has been found in 42 states.
  • The presenters declined to comment on the likelihood of mandatory quarantines.…
  • More

Experts Anticipate Iran’s Next Move Will Include Cyberattacks on U.S. Energy Infrastructure

Security experts nationwide warn that the United States should expect serious cyberattacks from Iran in the next few months. The anticipated attacks, retaliation for United States’ killing of Major General Qasem Soleimani, are likely to include as targets oil refineries and other energy infrastructure.  The specific targets, and whether the attacks will be state-sponsored and strategic or carried out by individuals or smaller groups, remain unknown.

One reason underlying the likelihood that Iran will ramp up its cyberattacks is that,… More

Cybersecurity 2020 — The Year in Preview: Top 3 State AG Trends to Watch in 2020

Editors’ Note:  This is the fifth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Our previous entry discussed the CCPAenergy, Brexit, and health privacy.  Next up:  trends in GDPR enforcement.

Out of all governmental agencies, state attorneys general are likely to have the greatest impact on privacy enforcement in 2020 for the average business. … More

US Security Officials Warning of Cyber Attacks in Wake of Iran Strike

On January 4, 2020, the US Department of Homeland Security posted at National Terrorism Advisory System Bulletin, in the wake of the killing of a senior Iranian military leader by a US drone.  That DHS advisory states:

The United States designated Iran a “State Sponsor of Terrorism” in 1984 and since then, Iran has actively engaged in or directed an array of violent and deadly acts against the United States and its citizens globally.… More

InfoTrax Systems Settles FTC Allegations It Failed to Safeguard Consumer Data

InfoTrax Systems, a Utah-based technology company, has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.  InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training,… More

Watch: Cybersecurity Regulation and Enforcement

As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More

What Do Pumpkin Spice Lattes and National Cybersecurity Awareness Month Have in Common?

What do pumpkin spice lattes and National Cybersecurity Awareness Month have in common?  Not much, other than both should be top of mind in October, but that doesn’t mean that it’s wrong to think about them both in August.

Held every October, National Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats.  … More

Partner Colin Zick to Speak on Cybersecurity Panel on August 14, 2019

Partner Colin Zick will speak at the “A Day at the Breach: Cybersecurity and Privacy for Your Business” event in Boston on August 14, 2019.

Description

Inadequate Cybersecurity processes can bring business operations to a halt, and cost thousands of dollars in litigation and lost revenue. This networking program will feature an expert panel discussion on recent trends in Cybersecurity and Privacy issues and best practices.… More

China’s Internet Regulator Drafts COPPA-Like Rules for Children’s Data Privacy

In early June, the Cyberspace Administration of China released for public comment new draft regulations applicable to the collection of personal information relating to children under 14 by online service providers.

The draft regulations share many of the same structures as those utilized by the Children’s Online Privacy Protection Act (“COPPA”) in the United States:

  • online service operators will have to obtain parental consent based on a comprehensive disclosure about the collection,…
  • More

Presentation: The New Massachusetts Data Breach Law – An Update

A new Massachusetts law toughens reporting requirements for companies and organizations hit by data security breaches and mandates requires free credit monitoring to affected consumers. Partner Colin Zick and counsel Chris Hart recently presented a webinar for Associated Industries of Massachusetts (AIM) that provides a big picture of the data privacy legal landscape, discusses real-world impacts of the new provisions and offers guidance on other upcoming changes such as the GDPR and the California Consumer Privacy Act (CCPA).… More

Is the CCPA Too Burdensome … for Consumers?

The California Consumer Privacy Act (“CCPA”) has been lauded as a “huge step forward” that could set a standard for other states and the federal government that enact increasingly robust data privacy legislation.  Indeed, some federal lawmakers view the law so favorably that they do not want future federal legislation to replace it. In the words of Rep. Jackie Speier (D-Calif.) to Politico: “California’s bill is the best.… More

Minimizing Risk and Liability from Man in the Middle Attacks (or, How to Keep Your Company’s Wire Transfers from Going Awry)

Imagine this scenario:  you’ve had a productive and mutually advantageous ongoing contractual relationship of several years with another party.  You have built up quite a bit of trust over the years, and communicate regularly over email.  Your email communications include you receiving invoices and then confirming payment; your email messages might include a note about an upcoming shipment or provision of services, or even a note wishing the family well.… More

Partner Colin Zick Speaks to Bloomberg Law on Why Companies Are Anxious for a Federal Move on Privacy

Bloomberg Law interviewed partner Colin Zick as part of a Special Report on how businesses are adjusting to recent data and privacy rules. Zick discusses why companies should be prepared to deal not only with GDPR requirements, but also a patchwork of state laws that may carry compliance requirements as well.

“We’re in the midst of a large public policy debate about what we’re going to do when it comes to data privacy laws,”… More

FERC and NERC Talk Grid Resilience and Cybersecurity

On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy. … More

Is Your Company’s Board of Directors Cyber Savvy?

Every company should expect that at some point it will experience a data breach. Whether as a result of hackers, disgruntled employees, or careless acts such as losing an unencrypted phone or laptop, data breaches may subject companies to liability and must be handled with speed and great care. What are the responsibilities of directors in preventing and addressing data breaches?

Without a doubt, directors must be generally aware of the data security risks facing the company and ensure that the company is prepared to manage those risks appropriately and has an incident response plan for a data breach.… More

Join us March 27: Legal and Technical Perspectives on Data Privacy and Security

Taking stock of the current privacy and security environment is critical. The legal world around data privacy continues to shift and the technical challenges to solving data security needs continue to increase in complexity.

Join Foley Hoag’s Chris Hart and Rapid7’s Jeremiah Dewey for a conversation about understanding and meeting today’s data privacy and security challenges. They will discuss the following:

  • What does the current threat environment look like?…
  • More

Partner Colin Zick Discusses Why Law Firms Are Building State Privacy Practices as Enforcement Heats Up with Bloomberg Law

Partner Colin Zick speaks to Bloomberg Law about how big law firms are expanding their state-focused practices to help clients deal with heavy state fines for alleged privacy violations.

Companies are turning to state-centric practices “because they see the threats from individual state enforcers,” Zick said. They want expertise from former officials, like former Massachusetts Attorney General Martha Coakley, who know the proper approach to limit enforcement risks,… More

Debate over Cybersecurity Oversight for Gas Pipeline and Bulk Power Systems Continues

Earlier this month, Federal Energy Regulatory Commission (“FERC”) Chairman Neil Chaterjee testified before the U.S. Senate Committee on Energy and Natural Resources on issues related to cybersecurity in the energy industry.

In his testimony, Chaterjee seemed to soften at least his messaging, if not his position, calling for increased mandatory oversight of cybersecurity for gas pipelines.  In a joint letter written last June,… More

Minimizing Litigation Risk: What Cybersecurity Auditors Can Learn From Their Financial Statement Auditor Analogues

Data breaches – always critically important to those with responsibility for storing, transporting and protecting electronic information – have become an all-consuming topic of late. Stories about data theft dominate political headlines, boardroom discussions, and family meetings around the dinner table.  They, of course, have also been the subject of government investigations and private litigation.

The current environment is not unlike other moments in our recent past that seemed to have captured the attention of Wall Street,… More

Cybersecurity 2019 — The Year in Preview: AI, Security, and Emerging Threats

Editors’ Note:  This is the fourth in our third annual series examining important trends in data privacy and cybersecurity during the new year.  Our previous entries were on state law trends, comparing the GDPR with COPPA, and energy and security.  Up next:  cryptocurrency.

Predicting the future is always a bit of a mug’s game, given that today’s bold claims about what is coming next often end up being served as tomorrow’s “claim chowder,” to use John Gruber’s memorable phrase.… More

SEC Brings First Enforcement Action for Identity Theft Red Flags Rule Violations

On September 26, in the Securities and Exchange Commission’s (“SEC”) first enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), Voya Financial Advisors Inc. (“VFA”), an SEC-registered investment adviser and broker-dealer, has agreed to settle charges relating to failures in its cybersecurity policies and procedures concerning a cyber-intrusion that compromised thousands of customers’ personal information. VFA agreed to pay a $1 million penalty as well as retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.… More

GDPR Creates Rugby Scrum

In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict.   As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries.  … More

China Expands Its Cybersecurity Regulations

As noted recently in the Wall Street Journal, “New cybersecurity rules will give Chinese authorities sweeping powers to inspect companies’ information technology and access proprietary information—steps that are likely to deepen concerns among foreign businesses about their China operations.”  These regulations were issued pursuant to the Cybersecurity Law of the People’s Republic of China, which came into force on June 1, 2017.… More

California Amends its Consumer Privacy Act

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law,… More

Hacker Fails to Establish “Necessity” of DDOS Attack on Hospital

In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense:  necessity.  In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer[] competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”… More

Escalation of Cybersecurity Threats to National Power System Prompts FERC to Call for Stricter Reporting Standards

On July 19, the Federal Energy Regulatory Commission (“FERC” or “Commission”), pursuant to its authority under section 215 of the Federal Power Act, issued a final rule directing the North American Electric Reliability Corporation (“NERC”) to develop modifications to NERC’s Reliability Standards as they relate to cyber security incidents. Issuance of the final rule is timely. A recent news article described hackers’ successful infiltration of the control rooms of multiple electric utilities.… More

Blogging from BIO 2018: And on the Third Day… the Panel Discussed Privacy and Data Security

It took three days, but I finally found a panel at BIO 2018 that addressed the current challenges in privacy and security regarding health data.  This panel, Realizing the Potential of Clinical and Consumer Genomics, was focused on all the new genetic tests that are available (with more to come) and all the genetic data those tests are generating.  I was particularly impressed with the approach of Mindstrong Health to privacy and security,… More

Blogging from BIO 2018: Does the Life Science Industry “Get” Cyber Security?

I am attending BIO 2018 in Boston, just steps from our Boston office. Naturally, I was drawn to yesterday’s session on “Life Sciences Cyber Exposures and Risk Mitigation Considerations.” But I came away disappointed. First of all, the session was held in a small room and even then, it was only one-third full (maybe 30 people of the 16,000 attending BIO 2018 chose to attend).… More

DNC Sues Russia, the Trump campaign, Wikileaks

It’s probably not going to change anything, but the Democratic National Committee has sued Russia (and members of the Russian establishment), members of the Trump campaign, and Wikileaks regard the 2016 election security breaches.  The DNC’s complaint includes almost every claim imaginable in response to a hacking incident.  If nothing else, it’s a good model for lawyers to crib from. More

Partner Colin Zick Speaks to Bloomberg BNA About the Privacy Concerns of Ride-sharing and Healthcare

Reproduced with permission from Bloomberg Law: Health IT Law & Industry Report, (March 9, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By James Swann

Privacy and security concerns are mounting as Uber and Lyft break into the medical transportation space.

The two companies recently rolled out separate initiatives to drive patients to and from medical appointments,… More

Recent Reports Confirm Continuing Vulnerability of Healthcare Industry to Cyber Issues

There seems to be a new scientific study published every day—like this one that alleges that eating cheese every day might actually be healthy. Understandably, many of these studies fly under the radar — but two recently published reports regarding cybersecurity and health care should not. These two reports show that the healthcare industry in particular is continuing to struggle with cybersecurity issues. Understanding the vulnerabilities revealed by these studies is important to healthcare organizations attempting to reduce their cybersecurity risks and legal liabilities.… More

New SEC Guidance Addresses Disclosure Requirements for Breach Events

As the SEC has made clear on numerous occasions over the past year, cybersecurity will continue to be a major enforcement priority under the Commission’s new leadership.  As we have previously covered, one new area of potential enforcement activity that the SEC has warned about concerns the failure of public companies to make disclosures regarding material cyber events.  While the SEC had previously provided some guidance to publicly traded companies about when to disclose such events,… More

What IP Practitioners Should Know About GDPR And Personal Data Protection In Europe

In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures,… More

Partner Colin Zick Speaks to Bloomberg BNA about Cyberthreats and Healthcare Data

Reproduced with permission from Bloomberg Law: Privacy & Data Security, (Jan. 18, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By James Swann

The federal government has identified two new cyberthreats that put patients’ personal data at risk for exposure.

The threats, known as Spectre and Meltdown, exploit a vulnerability in many commercial computer chips underpinning health-care computer networks,… More

Recent Federal Legislation Demonstrates Growing Federal Interest in Blockchain for Cybersecurity

Recent federal legislation indicates a growing federal interest in blockchain as a potentially integral technology in cybersecurity systems. This comes on the heels of recent legislation in the New York Assembly also suggesting state level interest in blockchain.

On December 12th, H.R. 2810, the “National Defense Authorization Act for Fiscal Year 2018,” was signed into law. This law was, first and foremost,… More

Recent New York Legislation Demonstrates Growing Governmental Interest in the Use of Blockchain for Cybersecurity

Recent legislation in the New York State Assembly reflects a growing governmental interest in blockchain as a  technology in cybersecurity systems.  On November 27, four different bills addressing blockchain technologies were introduced into the New York State Assembly. Most significant among these is Assembly Bill 8793, which would establish a task force to study and report on the potential implementation of blockchain technology in state record keeping,… More

DHS Amplifies Call for Public-Private Partnership in Cyberdefense and Pledges to “Intervene Directly”

The worldwide WannaCry attack from May 2017 has been officially blamed on North Korea.  In a press briefing publicly announcing the Administration’s declaration of North Korean culpability, the Department of Homeland Security continued to note the importance of public-private partnership in cyberdefense.  While such collaboration (and desire for collaboration) is not new, the press briefing did appear to call for a newfound emphasis on the need for the government to work together with private companies. … More

Cybersecurity 2018 – The Year in Preview: Federal Enforcement Trends

Editors’ Note:  This is the third of a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Click here for our previous entry on HIPAA Compliance, and here for our entry on emerging security threats.  Up next:  trends in state enforcement.

This time last year, Donald Trump had just been elected,… More

Data Breach Litigation: What Enterprises Should Know (from SearchSecurity)

Editors’ Note:  The following is an excerpt from an article published by SearchSecurity.  To read the full article, click here.  Registration required.

A data breach is a business crisis that can have enduring ramifications. While the discovery of a breach can initiate a drill — investigating what happened, remediating the security gaps, engaging law enforcement, and complying with state and federal notification laws —… More

Some Cyber Monday Shopping Tips

As you enjoy the holiday weekend, and even some Cyber Monday shopping, keep in mind these online shopping tips from the FTC:

  • Know the seller and the item. Put the company or product name in a search engine, along with “review,” “complaint,” or “scam.” Read the reviews. Be sure you can contact the seller if you have a dispute.
  • Avoid clicking links in emails.…
  • More

Cybersecurity 2018 – The Year in Preview: Emerging Security Threats

Editors’ Note:  This is the second of a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Click here for our previous entry on HIPAA Compliance.  Up next:  trends in federal enforcement.

After one of Britain’s first victories in the Second World War, Winston Churchill declared that it was “perhaps, the end of the beginning” – a turning point in the war. … More

JAMA: Cybersecurity Concerns and Medical Devices – Lessons from a Pacemaker Advisory

Interesting viewpoints from this Journal of the American Medical Association article on FDA’s August 2017 notice re: cyber security issues with certain pacemakers, including:

  • “This first widespread cybersecurity advisory involving a permanent medical device implant provides some insight into the ways in which the public experience with these types of medical device malfunctions might be improved.”
  • “Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards,…
  • More

Security in our Decentralized Election System: News from DHS

After repeated requests from various states, the Department of Homeland Security informed state governments which states had their election systems hacked or otherwise compromised during the 2016 general election.  According to reports, 21 states had their systems compromised in some fashion, although there is no evidence voting machines themselves were tampered with and in only some instances were computer systems actually penetrated.… More

The Massachusetts Attorney General’s Complaint Against Equifax

As most are aware, the Massachusetts Attorney General has won the race to the courthouse and been the first regulator to file suit against Equifax.

  • The 28 page complaint is summed up on paragraph 4:Consumers do not choose to give their private information to Equifax, and they do not have any reasonable manner of preventing Equifax from collecting, processing, using, or disclosing it. Equifax largely controls how,…
  • More

Watch: Privacy and Data Security for the Generalist In-House Counsel

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.

As in-house counsel,… More

Kaspersky Lab and Due Diligence – How Do You Minimize Risk?

Kaspersky Lab, a Russian-owned cybersecurity company that sells anti-virus software and other kinds of IT systems security products, has been banned from use by the federal government.  This latest development comes by way of the Department of Homeland Security (DHS), which issued a directive requiring agencies to (1) identify Kaspersky products they are using, (2) create plans to stop using those products, and,… More

Yes, You Were Likely a Victim of the Equifax Hack, But Here’s What You Can Do Now

As we previously said, the Equifax breach affects approximately 143 million Americans. While the hackers stole data that includes addresses, birth dates, full names and Social Security numbers, there are steps you can take today that will protect you from an identity theft worst-case scenario.

Assume the hackers stole your data

While no one wants to be in a situation where personal information was exposed,… More

High Security: How to Minimize Marijuana Data Risks

As we’ve blogged in the past, the cannabis industry is particularly susceptible to cyberattacks. With threats like a federal crackdown and workplace drug testing, customers have a vested interest in keeping their information private. Unfortunately, the newly-legal cannabis industry has limited experience with data security. While traditional industries have the benefit of expertise and mature regulatory oversight to foster best cybersecurity practices,… More

Webinar on September 13: Privacy and Data Security for the Generalist In-House Counsel

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More

Top U.S. Cyber Official Resigns

Christopher Painter, the State Department’s “Coordinator for Cyber Issues” stepped down on July 28, 2017. Described as the Department’s “weary soldier in America’s cyber war,” Painter traveled the globe advancing U.S. interests in cyberspace. His efforts included coordinating diplomacy in cyber security matters and launching “cyber dialogues” with foreign powers. The aim of those dialogues: reducing cyber threats ranging from D-DOS attacks to the theft of intellectual property.… More

Stolen Tax Returns? Virginia Seeks a Solution.

Did someone steal your tax return?  You are not alone.  Indeed, the rise in tax-related identity theft has been well documented.  In 2015, the FTC reported a 50% increase in identity theft complaints.  A primary cause for that increase was the rise in tax-related identity theft.  In response to this increase, the IRS has made stopping identity theft and refund fraud a top priority.  From 2011-2014, the IRS reported that it stopped 19 million suspicious returns and protected more than $63 billion in fraudulent returns. … More

Deja Vu All Over Again: Massive Ransomware Attack Underway

A mere month and a half after the WannaCry strain of ransomware caused major havoc in European and Asian countries, another major ransomware attack hit large institutions across Europe and the United States yesterday.  ‎Hardest hit has been Ukraine, which has seen major attacks on its government, banks, and power infrastructure.  Other European firms such as Germany’s Deutsche Bahn railways and Danish shipping firm A.P.… More

The Boston Municipal Research Bureau and Foley Hoag LLP Invite You to a Member Briefing on Cybersecurity in 2017

Cybersecurity has become an increasingly important issue for businesses and governments. Please join us as we host a Member Briefing with two premier experts in Cybersecurity.

Our speakers will provide insights into some of the most significant Cybersecurity challenges facing businesses and government today, including:

  • Evolving threats to how businesses & government operate
  • Insider threats and what that means for the future
  • Importance of being prepared and protected
  • The cost of cyber crime

Speakers

How the French Fought the Election Hackers

Emmanuel Macron won France’s presidential election in a landslide. He defeated his opponent, Marine Le Pen, by more than thirty percentage points. Such a high margin might lead one to think that his victory was inevitable. But on the eve of the election, it did not seem that way.

On the Friday before the Sunday election, hackers released a trove of documents they had stolen from the Macron campaign.… More

Watch: Cybersecurity Incident and Response Webinar

Presented by Foley Hoag LLP and PwC

A data breach is a business crisis. What should you do?

Learn first-hand as Foley Hoag LLP and PwC walk you through the practical and legal aspects of responding to a data security incident. From understanding how to be prepared to thinking through best practices, this webinar is designed to help you get a handle on an emergency that every business must confront.… More

Cybersecurity, A-Z: C is for CFAA

The Computer Fraud and Abuse Act, or CFAA, is the federal “anti-hacking” statute (or sometimes referred to as a “computer trespass” statute).  In essence, the CFAA prohibits intentional unauthorized access into another computer, when such action directly accesses certain protected information or otherwise causes damage or loss.  The CFAA provides for both criminal penalties and civil causes of action.  The scope and meaning of access “without authorization”… More

“If You Are Reading This, You Probably Weren’t Hacked Last Week” – So Now What?

First, the basic facts about the recent ransomware attack:

  • US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world.
  • Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.…
  • More

Is the May 12 Massive Ransomware Attack a Turning Point?

Those “in the know” in the cybersecurity world have been aware for more than a year of the threat posed by ransomware, a type of malware that locks victims’ access to their files until they pay a ransom.  But discussion of the threat was mostly localized to cybersecurity professionals, blogs like this one, and various guidances released by federal agencies during 2016. But ransomware may just have entered the general public consciousness in a big way.… More

Boston Bar Association’s Inaugural Privacy and Cybersecurity Conference, May 24, 2017

The Boston Bar Association’s inaugural Privacy and Cybersecurity Conference will be held on May 24.  The conference will bring together attorneys from private practice and in-house legal departments to network and discuss key topics and trends in privacy and cybersecurity.  This full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape,… More

U.S. Steel ITC Case Alleging Chinese Government Hacked Its Network and Stole Its Secret Formulas May Be Revived

First, a little background for those unfamiliar with the wonderful world of the International Trade Commission (ITC). 

Section 337 of the Tariff Act of 1930 (19 U.S.C. § 1337) prohibits “unfair methods of competition and unfair acts in the importation of articles … into the Unites States,” including the importation of articles that infringe various types of intellectual property.  Companies can file complaints in the ITC and administrative law judges oversee the investigations. … More

Where Should Broker Dealers Invest Today? Cyber Security Compliance

With cyber security threats on the rise, broker dealers must prioritize protection of electronic investor information.  What cyber security threats exist for broker dealers?  In its 2015 Report on Cyber Security Practices, the Financial Industry Regulatory Authority (FINRA) identified a wide range of actors that may attempt to compromise a broker dealers’ electronic records and functions: (1) cybercriminals seeking to steal; (2) nation states; (3) terrorist groups;… More

BBA Announces Privacy and Cybersecurity Conference

Partner Colin Zick sits on the advisory committee for Boston Bar Association’s inaugural Privacy & Cybersecurity Conference.

Held at the Courtyard Marriott in Boston on May 24 , this full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape, while providing strategies to effectively prepare and respond to your client’s needs and offer insights into challenges and opportunities ahead.… More

Cybersecurity, A-Z: A is for Active Cyber Defense

(First in a continuing series.)

Active Cyber Defense, or ACD, is a broad category encompassing different kinds of actions that organizations can take to defend against breaches and cyberattacks. The operative word is “active.”  Conventional security against breaches tend to involve anti-virus software, encryption, and other perimeter defenses that act to prevent outsiders from coming in to your organization’s systems.  ACD tools are different, and involve anticipating,… More

Spring has Sprung — and so have New York Cybersecurity Regs

The beginning of March, and a spell of unseasonably warm weather, graced the Northeast this week.  So too did New York’s first-in-the-nation cybersecurity regulations.  As we reported here in January, the initial launch of regulations was scuttled in response to industry concerns about scope and the inability to modify internal security measures by the established deadlines.  This resistance led New York’s Department of Financial Services (“DFS”) to slightly modify the regulations and delay implementation by one month.  … More

Friend or Foe? State Attorneys General Start to Change Their Tune on Industry & Cybersecurity

Should businesses be thought of as victims or bad actors when it comes to data breaches?  State attorneys general are embracing the idea that businesses are not necessarily adversaries in the struggle to protect sensitive consumer information.  Over the past several years state attorneys general have exerted efforts to both educate businesses as to their data privacy responsibilities, and collaborate with businesses in constructing more robust cybersecurity policies.  The spotlight now is on the Ohio Attorney General,… More

Make Cybersecurity Great Again? Cybersecurity Challenges — and Opportunities — for the Trump Administration

The Trump Administration has taken office at a time when cybersecurity has increasingly entered the public consciousness as a major challenge facing both the United States government and the business community.  Cyberattacks from both criminal and state actors have bedeviled businesses and roiled politics over the past year.  Against this backdrop, the administration has professed a strong commitment to cybersecurity, for instance designating former New York City Mayor Rudy Giuliani as a high-profile cybersecurity liaison to the private sector,… More

How Should We Think About Cyber War, Where Rules Remain to be Written?

The recent hack of the Democratic National Committee (DNC) and the United States’ subsequent decision to impose retaliatory sanctions against Russia poses an important question:  what does international law have to say about state-sponsored cyberattacks?  Unfortunately, and perhaps unsurprisingly, the answer is, very little.  While technological innovation races ahead at warp speed, international law has lagged behind.

There are no international treaties on cyber warfare.… More

New York’s “First in the Nation” Financial-Sector Cybersecurity Regulations Put on Hold

In late December, New York’s Financial Services Superintendent Maria T. Vullo announced that the New York’s Department of Financial Services’ (“DFS”) new cybersecurity regulations would not go into effect on January 1, 2017 as initially planned.  These “first-in-the-nation” cybersecurity regulations were designed to help protect consumers and the financial system from the increasingly serious threat of cyberattacks.  However, the regulations faced opposition from the financial services companies and insurers that would have been subject to them.… More

Cybersecurity 2017 – The Year in Preview: Changes Afoot in Federal Enforcement?

Editor’s note:  This is the sixth and last in our end-of-year series.  See our previous posts on trade secretsstate regulation and law enforcement, HIPAA compliance, emerging threats, and energy.  See you in 2017!

Fragmentation in U.S. data privacy and cybersecurity law is both peril and promise.  The peril?  Businesses must contend with uncertainty and the costs associated with pleasing many regulatory masters. … More

Additional Clarification regarding HHS OCR Phishing Email Alert

More information from HHS OCR about the phishing threat:

  • On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,…
  • More

HHS OCR Alert: Phishing Email Disguised as Official OCR Audit Communication

This alert just in from HHS OCR:

“It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.  The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy,… More

Cybersecurity 2017 – The Year In Preview: HIPAA Compliance

Editor’s Note:  This is the third in a continuing end-of-year series.  See our previous posts on trade secrets and state regulation and law enforcement.  Up next:  the changing threat landscape.

The year ahead promises to be a busy one for those with responsibility for HIPAA compliance, as the Office of Civil Rights (OCR), charged with enforcing HIPAA, continues to lean in to compliance initiatives and addresses new questions in the rapidly-evolving healthcare information technology environment.… More

Cybersecurity 2017 – The Year In Preview: The Changing Face of State Law and Enforcement

Editor’s Note:  This is the second in a continuing end-of-year series.  Stay tuned for our next installment, discussing HIPAA compliance.

In the patchwork of state and federal law regulating the use and maintenance of personal confidential information, states play a significant role and can often be the most important regulator and law enforcement authority.  Recent events have signaled changes in how states interpret and enforce their data privacy standards —… More

Cybersecurity 2017 – The Year In Preview: Trade Secret Theft Takes Center Stage

Editor’s Note:  This is the first of an end-of-year series of posts examining coming trends in cybersecurity.  Posts will examine trends in state regulations, federal regulatory authority, the changing nature of the threat landscape, and HIPAA.  This post discusses a shift in concern from personal consumer information toward company trade secrets.

When it comes to the issue of data privacy and security, especially among lawyers, the discussion generally concerns personally identifiable information. … More

Cybersecurity: Are You Ready for the Next Attack?

The U.S. Department of Homeland Security says that all employees need to know the signs of a cyber-attack, not just those who work in the IT field. This is increasingly important as more companies move business operations online. The Department stresses employees should make passwords complex, beware of phishing emails and report all suspicious activity to their company’s IT department.

Last week, attorney Chris Hart joined the Boston Business Journal’s Table of Experts program to provide insights into how to protect a company from a cyberattack,… More

Cybersecurity News and Notes – September 13, 2016

In Case You Missed It:  The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3).  Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information.  The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. … More

Cybersecurity News and Notes – August 29, 2016

In Case You Missed It: Sometimes data breaches crop-up in the most unlikely of places.  Last week we learned that the vendor that handles fish and hunting licenses for the states of Idaho, Oregon, and Washington was hacked.  The breach potentially exposed the following information for those with fishing or hunting licenses in those northwest states: names, addresses, driver’s license numbers, dates of birth, and the last four digits of Social Security numbers. … More

Cybersecurity News & Notes – August 8, 2016

In Case You Missed It:  In a sign of the growing importance of cyber operations in warfare, the Obama administration plans to elevate the status of the Pentagon’s Cyber Command.  The U.S. Cyber Command, or USCYBERCOM, was created on June 23, 2009.  Its stated mission is to, among other things, “conduct full spectrum military cyberspace operations” to “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”  Currently,… More

Cybersecurity News and Notes – August 1

In Case You Missed It:  The Federal Trade Commission issued an opinion in the LabMD case, overturning an ALJ’s November 2015 decision holding that the FTC failed to meet its burden to prove that LabMD’s data security practices caused or were likely to cause substantial consumer injury.  (See this blog’s previous coverage of that decision here.)  The FTC’s complaint against the company concerned two different data privacy incidents that allegedly affected over 10,000 consumers. … More

Guest Podcast: Europe’s New General Data Protection Regulation–What Is It and Are You Ready for It?

Are you looking for an introduction to the European Union’s General Data Protection Regulation (GDPR)?  To find out when and how it’s going to impact you and your organization, listen to this quick 10 minute podcast with, Deborah Hurley. Deborah is an adjunct professor of the practice of computer science at Brown University, fellow at the Institute for Quantitative Social Science at Harvard University, and principal at Hurley Consulting.… More

Cybersecurity News and Notes – July 25, 2016

In Case You Missed It: U.S. Major party platforms address cybersecurity.  The two major parties have released their 2016 election platforms, both of which include cybersecurity planks.  The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies.… More

HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and Are Likely a Data Breach

On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.… More

Law360: Pokemon Go Developer Wades Into Privacy Minefield

This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch

The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.… More

Pokémon Go Catches More Than It Bargained For

Pikachu figure characterThe recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players.  While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls.  Specifically,… More

Cybersecurity News & Notes – July 5, 2016

In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach.  The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices.  A U.S. District Court ruling last week casts some doubt on that authority. … More

Cybersecurity News and Notes: June 27, 2016

In Case You Missed It

The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising.  The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. … More

DHS Issues New Rules Governing Sharing of Cyberthreat Data

Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so.  The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.… More

Cybersecurity News & Notes – June 20, 2016

In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017.  The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account.  The definition is also expanded to include medical and health insurance information. … More

Ransomware Update: The FBI Weighs In

The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated.  The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. … More

Cybersecurity News & Notes – June 13, 2016: A Brief Digest of Cybersecurity News You Can Use

In Case You Missed It:  The SEC fined Morgan Stanley $1 million for a 2014 data breach.  While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion.  The  SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More

Join Us June 23: Cybersecurity Challenges and Solutions for Emerging Managers

Hedge Fund Association Symposium in Boston

The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.

This event is complimentary for HFA members and friends of Foley Hoag. … More

Watch: HIPAA Crimes Webinar – How the New Crime Wave Affects You

Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More

Join Us on May 25: The End of the “Safe Harbor” for E.U./U.S. Data Transfer

How Can Companies Transfer Personal Data and Remain Compliant?

The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.

Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More

Cybersecurity, Corporate Governance, and Risk Management: Best Practices

As litigators, we help clients resolve conflicts that have matured into disputes.  In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.

In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation.  In the area of cybersecurity,… More

Top Tips for OCR HIPAA Audit Preparation

Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com 

The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.

With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.… More

EU General Data Protection Regulation Adopted

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

  • data controllers (companies collecting and using personal information) will have a wide range of new obligations,…
  • More

EU-US Privacy Shield: Working Party Urges European Commission to Improve Current Scheme

After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield.  However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More

How Hospitals Can Avoid Being the Next Ransomware Victim

Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.”  What follows is a primer on ransomware and how to avoid being a target of it.

What is ransomware? 

Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files.… More

Details of the EU-U.S. Privacy Shield Framework Unveiled

The content of the Privacy Shield was made public yesterday and today.us eu

The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.

On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More

President Obama Signs the Judicial Redress Act (H.R.1428/S.1600)

As part of implementing the EU-US Privacy Shield, on February 24, 2016, President Obama signed the Judicial Redress Act (H.R.1428/S.1600). This law is designed to give EU citizens the right to sue the U.S. government for privacy violations.  In particular:

  • It authorizes the U.S. Department of Justice to designate specific foreign countries or regional economic integration organizations (i.e., the EU) whose natural citizens may bring civil actions under the U.S.…
  • More

In Cybersecurity, No Harm Does Not Necessarily Mean No Foul

This article was originally published in Law360 with permission to reprint.

How much does the question of harm matter in cybersecurity law? The answer is: It depends on who is bringing the claim.

Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action.… More

The Cybersecurity Act of 2015: Implications for Threat Sharing

On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).

CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More

Guidance on EU-US Data Flow Delayed by New Terrorist Threats in Brussels

Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.

However,… More

The LabMD Case: Further Defining the FTC’s Enforcement Powers

The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built.  On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD.  The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More

Advanced Cyber Security Center Panel Explores Reasonableness in Cybersecurity

I had the pleasure of moderating an excellent panel at the Advanced Cyber Security Center’s annual conference on November 4. The panel’s topic for discussion was “What is Reasonable in Cybersecurity: Responsibility and Accountability for Cybersecurity Practices.” I learned a great deal from our excellent panelists, Gus Coldebella (Fish & Richardson), Deborah Hurley (Harvard University), and John Krebs (Federal Trade Commission), as well as from the audience’s questions.… More

CFTC Approves NFA Interpretive Notice on Information Systems Security Programs, Including Cybersecurity Guidance

By Catherine M. Anderson and Kate Leonard

The CFTC recently approved the National Futures Association’s interpretive notice (the “Cybersecurity Notice”) on the general requirements that members should implement for their information systems security programs (“ISSPs”), which includes cybersecurity guidance and ongoing testing and training obligations.

The Cybersecurity Notice will be effective March 1, 2016 and applies to futures commissions merchants, commodity trading advisors,… More

Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More

Cybersecurity and Information Sharing Act Clears Senate Hurdle; House Action Unclear

The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill.  CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.”  Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing of cyberthreat data from private entities and within government entities.  … More

What is reasonable? The emerging legalities of cybersecurity post-Wyndham

This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:

Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More

COPPA, Meet DOPPA – Delaware AG Action Leads to New Child-Protection Data Privacy Laws

Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.

DOPPA goes further than its federal cousin,… More

Understanding ISO 27018 and Preparing for the Modern Era of Cloud Security

This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.

As the first and only international privacy standard for the cloud,… More

DOJ Releases Best Practices for Victim Response and Reporting of Cyber Incidents

Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:

  • Identify Your “Crown Jewels”: Before creating a cyber-incident response plan,…
  • More

Cyber Risks and the Boardroom — The Role of Cyber Insurance

am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance.  My presentation is here:  2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation.  It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More

Obama Executive Order Targets International Cyberattacks Against U.S. with New Sanctions

By Gwen Jaramillo and Shrutih V. Tewarie

As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S.… More

HIPAA Compliant Technology and the Importance of Encryption

We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage,… More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business

Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.

Here are five takeaways for companies large and small:

  1. Companies are only as secure as their most vulnerable employee.…
  2. More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part II: The Executive Order

As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.

What does the Order actually do?

The Order “promotes…encourages…and…allows” but does not require anything.… More

Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part I

The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama.  The purpose of the summit:  to “bring[] together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.”  These stakeholders, a number of public and private sector leaders,… More

One More New Year’s Resolution: Change Your Passwords Before Groundhog Day

The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:

Rank
Password
Change from 2013

1
123456
No Change

2
password
No Change

3
12345
Up 17

4
12345678
Down 1

5
qwerty
Down 1

6
123456789
No Change

7
1234
Up 9

8
baseball
New

9
dragon
New

10
football
New

11
1234567
Down 4

12
monkey
Up 5

13
letmein
Up 1

14
abc123
Down 9

15
111111
Down 8

16
mustang
New

17
access
New

18
shadow
Unchanged

19
master
New

20
michael
New

21
superman
New

22
696969
New

23
123123
Down 12

24
batman
New

25
trustno1
Down 1

Sadly,… More

Five Tips to Help Companies Protect Themselves from Data Breaches

Hand press on Shopping Cart iconWith every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars.… More

FDA Flunks Data Security Exam

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network,… More

New COPPA Safe Harbor Added By iKeepSafe

Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”

The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision,… More

State Securities Regulators in Massachusetts and Illinois Survey Investment Advisors on Cybersecurity Practices

Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.

The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division,… More

The SEC’s Power to Take Enforcement Action Against Cybersecurity Violators

To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).… More

SEC Issues Risk Alert on Cybersecurity Initiative for Investment Advisers

Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.

The full text of the Risk Alert is available here.

SEC-registered investment advisers should review the Risk Alert,… More

FTC Provides Guidance on Heartbleed

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later:

By Nicole Vincent Fleming

April 11, 2014 –… More

SEC Hosts Cybersecurity Roundtable

Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC).  On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants.  The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.… More

Rare Massachusetts Superior Court Decision Interpreting the CFAA Takes the Narrow View Without Squarely Addressing the Broad

This is a cross-post from our sister blog, Massachusetts Noncompete Law:

Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer. … More

Sony Class Action Has A Few Lives Left; Most of Plaintiffs’ Claims Dismissed But Certain Consumer Claims Remain

On January 21, 2014, U.S. District Judge Anthony Battaglia issued a 97 page orderthat dismissed the majority of the claims in a putative class action against various Sony entities, claims relating to the 2011 hack into the computer network system that Sony used to provide online gaming and Internet connectivity through PSP handhelds and PS3 game consoles.

According to Judge Battaglia, “The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence;… More

Federal Judge Rules NSA Phone Record Collection Likely Unconstitutional

In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:

  • “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
  • “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…
  • More

Check Your Technology at the Door

Recent news of government monitoring of phone calls and emails, both within the U.S. and abroad, has caused some to reexamine their technological companions.  Many are beginning to ask, when highly confidential and sensitive information is being discussed, should our seemingly indispensable technology be checked at the door?

This month, the British government began banning the presence of iPads at certain Cabinet meetings over concerns that the devices could contain viruses that would allow third parties to take control of the microphone and transmit recorded audio. … More

iPhone’s Fingerprint Scanner Raises Privacy and Security Concerns

Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday.  The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button.  As expected, Apple’s use of biometric authentication has raised a number of security and privacy concerns among the public. … More

More on President Obama’s Executive Order on Cybersecurity

On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.”  The Order has two key components.

First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.

Second, the National Institute of Standards and Technology (“NIST”),… More

Administration Rolls Out Its New Cybersecurity Policy

Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the hands of the Department of Homeland Security. Under the Order, the government will also be identifying baseline data and systems requirements for the government to allow the exchange of information and intelligence,… More

Pentagon to Increase Cybersecurity Force More than Five Times Current Size

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”

The Pentagon’s plan would create three types of forces under the Cyber Command:

  • “national mission forces” to protect computer systems that undergird electrical grids,…
  • More

Should You Trust Your Network to a Chinese Company?

A recent article in The Economist questions whether it is safe and secure to trust a company’s computer network to a Chinese company. The specific concern in that The Economist article related to “a Chinese company with connections to the Chinese government and the People’s Liberation Army (PLA)” that would be providing services inside the corporate firewall.  An unnamed former member of the U.S. Joint Chief of Staffs minced no words about this: “We’d be crazy to let [that Chinese company] on our networks,… More

White House States Support for Sen. Lieberman’s Cybersecurity Act of 2012

The Obama Administration officially put its weight behind Sen. Lieberman’s Cybersecurity Act of 2012, with the issuance of the following Statement of Administration Policy:

STATEMENT OF ADMINISTRATION POLICY

S. 3414 – Cybersecurity Act of 2012

(Sen. Lieberman, I-CT, and 4 cosponsors)

The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. While lacking some of the key provisions of earlier bills,… More

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.

On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber threat information to private sector organizations,… More

Governments Hire Hackers to Work for Them

Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets." More

Good Advice that Bears Repeating: Toughen Up Your Passwords!

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one:

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More

Jail Time for Man Who Accessed Computer of a Competing Medical Practice

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer’s patient database. … More

“Performing Due Diligence Before Signing a Cloud SLA”

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."

                                                                     *  *  *

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. … More

Is Public-Private Information Sharing Needed to Respond to the Massive Increase in Cyber Attacks?

Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

  • 2002:  20,254 updates
  • 2003:  19,159 updates
  • 2004:  74,981 updates
  • 2005:  113,081 updates
  • 2006:  167,069 updates
  • 2007:  708,742 updates
  • 2008:  1,691,323 updates
  • 2009:  2,895,802 updates
  • 2010:  10,000,000 updates
  • More

“Foreign Spies Stealing US Economic Secrets in Cyberspace”

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” is tough to ignore.

The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

  • “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.…
  • More

Microsoft Report Challenges Conventional Wisdom on Cybercrime Losses

It’s a pretty technical read, but this recent Microsoft report, "Sex, Lies and Cyber-crime Surveys" by Dinei Florencio and Cormac Herley tries to support an interesting hypothesis:  cyber-crime surveys that suggest huge losses from hacking and phishing aren’t reliable.  Here’s an excerpt of their thinking:

First, [cyber-crime] losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses.… More

Is Teamwork the Answer to Data Security?

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. … More

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

“Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue”

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy —
Privacy is Potentially a Costly Workplace Issue,"
I was interviewed regarding some of the recent developments in privacy and security law for employers: 

  • “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,”…
  • More

Information Security In the Age of WikiLeaks

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

  • Could a Major Security Breach Be on the Horizon?
  • The Smartphone Dilemma
  • What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
  • Security Budgets Fare Well
  • Implementing Risk Management Disciplines
  • Do You Really Know Who Your Friends Are?…
  • More

White House Releases Framework for National Strategy for Trusted Identities in Cyberspace

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem”… More

NIST Launches Web Site for National Strategy for Trusted Identities in Cyberspace

The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests,… More

U.S. Supreme Court Upholds NASA Background Checks

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.”

This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”).  JPL is staffed exclusively by contract employees. … More

Tracking Protection to be Included in Internet Explorer 9: Is This the Tipping Point?

Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9.  In particular, Microsoft promises that:

  1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
  2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

Together with the FTC’s jump into the tracking fray last week,… More

Iranian Journalist Files Suit against Nokia Siemens Networks for Use of Network in Torture

The following item was posted recently on Foley Hoag’s Corporate Social Responsibility and the Law blog, and we thought it would be of interest to our readers. Companies seeking to develop privacy policies that both comply with national laws and respect internationally recognized human rights often face difficult challenges, especially when confronted with specific host government requests. All companies concerned with the human rights implications of their activities are advised to assess the sufficiency of existing policies as well as the company’s capacity to identify and manage potentially challenging scenarios.… More

Balancing Privacy and Security in an Age of Instant, Ubiquitous Communications

In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security."  This tension is not limited to that context, however.  Nearly every workplace that uses email faces a similar tension between open access and secure communications.  And this debate splits people.  An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.  … More

One More Reason to Secure Your Wireless Network

In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network. The details of this decision are instructive for those still looking at questions of network privacy and security.

This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon.… More

Albert Gonzalez Gets 20 Years for TJX / Heartland Breaches

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government."  Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him.  The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever,… More

FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention,… More

Incident(s) of the Week: February A Tough Month For Hackers

1.  Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn 

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities.  On January 14, 2010, commuters on Moscow’s Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography.  The video, as well as the resulting traffic problems,… More

Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites. … More

Incident of the Week: U.S. Law Firms and Public Relations Firms Hit By E-mail Attack

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using “spear phishing” attacks — personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software. … More

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than first thought.

Incident(s) of the Week: Double Feature

Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.

Massachusetts Attorney General Announces Opening of New Computer Forensics Lab

In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General’s Cyber Crime Initiative.  Under the Initiative, the Attorney General’s office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing program in Massachusetts" for the Massachusetts law inforcement community.… More

Informants & Alberto Gonzalez: She Swallowed the Spider to Catch the Fly

In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind.  Last week, Gonzalez pleaded guilty to nineteen charges relating to his role in the TJX breach (see Gonzalez’s 2008 indictment (.pdf) for list of the various charges).… More

Incident of the Week: Indictments Issue Against The Individuals Behind RNS, Pirate Site for “Pre-Release” Music

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released,… More

Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.”  The NCUA, which regulates federally insured credit unions,… More

Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

According to a press release from the United States Attorney’s Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1"… More

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. … More

Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e.,… More

Secret Service and Europe Plan a Cybercrime Task Force

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking.   Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level." … More

Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter’s internal company documents.  The hacker, who goes by the handle “Hacker Croll,” has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called “Final Tweet”… More

U.S. and South Korea Targeted in Ongoing Denial of Service Attacks

On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is,… More

Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before “Devil’s Day” Attack

This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

Conficker Worm Still Lurking, Threat Remains

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief.

FTC Chairman Pushes for Increasingly Specific “Self” Regulation of Behavioral Advertising

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers’ concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled,… More

How far do anti-hacking statutes extend?

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers.  In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property;… More

Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁 For $10 million, I will gladly send along the password." … More

Cyberespionage Threats Driving New Military Cybersecurity Command

Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare.  The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security’s National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts.… More

New Law Would Require ISPs to Retain User Logs and Subscriber Records for Two Years

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address."… More

Cyberspies Penetrate U.S. Power Grid

According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system.  According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system.  More importantly, the intruders could attempt to damage the system during a war or other national security crisis.… More

New Cybersecurity Legislation Introduced in the Senate

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. … More

Big Bump in Federal Cybersecurity Spending?

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos. … More

OPSEC, Data Security and A-Rod

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players,… More

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers,… More

Senate Drafting Cybersecurity Law – Seeks To Appoint National “Cybersecurity Czar”

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

  • require intelligence and Homeland Security officials to perform vulnerability assessments;…
  • More

Departing Employees Are Increasingly Stealing Company Information

As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.… More