Category Archives: Cybersecurity & Cybercrime

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment (SRA) Tool.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI.… More

On July 13, 2023, the Biden Administration released its National Cybersecurity Strategy Implementation Plan (NCSIP) with the goal of providng transparency and coordination for its existing goals. The NCSIP details more than 65 Federal initiatives (some completed, some ongoing, others planned for the future). Each NCSIP initiative is assigned to a responsible agency and has a timeline for completion.

There are five major “pillars” to the NCSIP:

• Defending Critical Infrastructure
• Disrupting and Dismantling Threat Actors
• Shaping Market Forces and Driving Security and Resilience
• Investing in a Resilient Future
• Forging International Partnerships to Pursue Shared Goals

Some NCSIP initiatives,… More

On Wednesday, June 21, Foley Hoag hosted a NY CLE program “Privacy, Cyber Security and Data Protection 101: A Primer that Addresses New York’s New Mandatory CLE Requirements. You can access the materials and recording using the below links.

• Presentation
• Webinar Recording

More

Cyberattacks on the energy sector have been rapidly growing since 2017, and we saw an all-time high of cyberattack events on the sector in 2022. The energy sector is particularly vulnerable due to these types of attacks due to the outdated and unsecured networks oftentimes used in the industry, as well as the increased use of distributed energy resources (“DER”), which creates more openings to attack and requires more resources to monitor and manage.… More

It’s been several years since I have written about password hygeine. I have been hoping that a better security solution would be widely adopted and while I hear rumors in that regard, passwords still reign supreme.  So when I saw that the SafetyDetectives website had listed the 30 most common passwords, it seemed like a good time to revisit the topic.  Their study found that “123456” and “password”… More

On May 23, 2023, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions,… More

The Massachusetts State Police Commonwealth Fusion Center (CFC) believes that cyber actors may use the current bank failures for future phishing and business email compromise (BEC) attacks. Cyber actors often use current events to mask their phishing campaigns to seem more believable and relevant.  As everyone now knows, Silicon Valley Bank (SVB) became one of the largest banks to fail since the 2008 financial crisis. More recently, First Republic Bank also failed. … More

Over the past several years, the energy sector has become a prime target for hacking and ransomware attacks, with over 40 attacks on the industry since 2017.  Cyber attacks have only continued to rise, with a record high of 13 reported attacks in one year occurring in 2022.

Physical Security Threats to U.S. Energy Infrastructure

A new type of threat against the energy sector crystallized at the end of 2022: physical attacks on the grid. … More

Privacy & Data Security Practice co-chair Chris Hart spoke to SecurityWeek about the Biden administration’s National Cybersecurity Strategy and government intentions for the future of U.S. cybersecurity.

Read the full article here. More

Foley Hoag is pleased to contribute to Lex Mundi’s report on global data privacy trends and topics.  Our Lex Mundi network gives us access to the best attorneys in data privacy in jurisdictions across the globe, who provide local expertise on anticipated regulatory risks to overcome related to cross-border data and cybersecurity challenges. To access the full report, click here. More

Governor Charlie Baker recently took steps to strengthen cybersecurity in Massachusetts by signing an executive order on December 14, 2022 creating an advisory panel to improve the state’s cyber defense. The new state task force will assess existing resources, develop contingency plans, and identify strategies for preventing future cyberattacks.  The goal of the task force is to ensure that the Bay State is at the forefront of the ever-evolving cybersecurity landscape.… More

Foley Hoag presented a discussion and Q&A regarding the growing threat of business email compromises (a.k.a. man-in-the-middle attacks). Attorneys Chris Hart and Yoni Bard, litigators with experience in privacy matters and business disputes, shared what they have learned through successfully representing victims of hacking and phishing attacks that have led companies to misdirect payments to unknown criminal actors. They discussed strategies for preventing these attacks and, if they occur, maximizing the likelihood of recovery through rapid response strategies (involving law enforcement and banks),… More

On March 24, 2022, the Department of Justice unsealed two indictments charging four Russian government employees in two hacking campaigns that targeted critical infrastructure in the energy sector.  We cover these indictments in depth here.  Concurrently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) jointly published a Cybersecurity Advisory (CSA) relating to the hacks.… More

The cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory (CSA) to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.

Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,… More

The Cybersecurity & Infrastructure Security Agency (“CISA”) has just released CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides proactive steps organizations can take to assess and mitigate risks from information manipulation. Malicious actors (i.e., Russia) may use tactics—such as misinformation, disinformation, and malinformation—to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors. … More

According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA“), the potential hostilities between Russia and Ukraine are likely to spill over into cyber warfare.  In this month’s CISA Insights:

Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies,… More

On November 3, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) added two Israeli entities to the Entity List due to malicious cyber activities. In its press release, BIS stated that the designation of Israeli companies NSO Group and Candiru was based on evidence that these entities developed and supplied spyware to foreign governments, which was then used for malicious surveillance,… More

As we anticipated last spring, the Department of Justice (DOJ) has signaled that it will utilize civil enforcement of the False Claims Act (FCA) to address new and emerging cybersecurity threats. On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of a new cyber-fraud initiative led by the Fraud Section of DOJ’s Commercial Litigation Branch. The new initiative will focus FCA enforcement against federal government contractors or grant recipients who fail to follow required cybersecurity standards.… More

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

On July 28, 2021, President Biden issued a Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  The Memo recognizes that the protection of the nation’s critical infrastructure lies not only with government, i.e., at the federal, state, local, tribal, and territorial levels, but with critical infrastructure owners and operators.  In addition, the Memo states that cybersecurity threats to critical infrastructure, and the systems that control and operate it,… More

If you aren’t following the ransomware attack on Kaseya’s VSA product and approximately 800-1500 of its users, you should be.  Like many cyberattacks, this one came on the verge of a holiday weekend.  As the company itself notes, “Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack.   Due to our teams’ fast response, we believe that this has been localized to a very small number of on-premises customers only. … More

In Van Buren v. United States, the Supreme Court has issued its first ever opinion interpreting the Computer Fraud and Abuse Act.  The CFAA, originally conceived as an anti-hacking statute, broadly prohibits, and imposes civil and criminal penalties for, accessing computers or computer systems “without authorization” or in a way that “exceeds authorized access.”  18 U. S. C. §1030(a)(2).  The question before the Court was how far CFAA liability extends under that latter clause—“exceeds authorized access.”  Does it apply merely to those allowed to obtain information from some parts of computer systems but not others? … More

On May 27, 2021, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector.  (And for those in other business sectors, this is a potential preview of cybersecurity regulation to come.)

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro N.… More

On May 12, 2021, President Biden signed an Executive Order which is aimed at improving the nation’s cybersecurity and protecting federal government networks.  The Executive Order has been in the works for some time, but the timing of its release is a response to the Colonial Pipeline ransomware attack.

According to the Fact Sheet issued by the White House, this Executive Order will:

• Remove barriers to threat information sharing between government and the private sector
• Modernize and implement stronger cybersecurity standards in the Federal Government
• Improve software supply chain security
• Establish a Cybersecurity Safety Review Board
• Create a standard playbook for responding to cyber incidents
• Improve detection of cybersecurity incidents on Federal Government networks
• Improve investigative and remediation capabilities

The overall impact of the Executive Order is limited,… More

By now, you have heard about the SolarWinds Orion hack. But what do you need to know about it?

First, if you want or need the technical details, the Cybersecurity and Infrastructure Security Agency (CISA) has them. In particular, on December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices.… More

On October 28, 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sectors to infect their systems with Ryuk ransomware for financial gain.

CISA,… More

On October 6, 2020, the Department of Homeland Security (“DHS”) released a 2020 Homeland Threat Assessment (“HTA”).  According to Acting Secretary Chad F. Wolf, the “first of its kind report” identifies the primary threats facing the nation and analyzes the vast array of information coming from all DHS operational components that crosses his desk on a daily basis.  “When the American people read this HTA they will be more aware of the traditional threats facing the Homeland like terrorism and organized crime.  … More

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.  In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….”  While this is an advisory and does not have the force of law,… More

What do businesses need to do to comply with privacy and data security laws?  The first place to look is to relevant statutes.  If you store or process the personal information of Massachusetts residents, then you will at least be subject to the Massachusetts Data Breach Notification Statute and related security regulations.  These are important guides that require certain operational activities, such as maintaining a written information security program,… More

Malicious cyber actors have been exploiting the COVID-19 crisis, warn the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) in a joint release issued April 8. Bad actors have done so in two main ways: first, by grafting COVID-19-related themes onto standard cyberattack practices; second, by exploiting vulnerabilities in services that have seen increased use since the pandemic began.… More

Both legally and practically, there need not be an exclusive choice between health information privacy and using GPS and other technology to gather and provide information about COVID-19. Foley Hoag’s Jeremy Meisinger shares more in this GPS World article.

  More

If you are among the many people turning to video-teleconferencing (VTC) to stay connected during the COVID-19 pandemic, you need to protect yourself from “Zoom-bombing” – the entrance of uninvited individuals into your VTC.  The FBI has received multiple reports of conferences being disrupted by offensive images and/or threatening language.

The FBI recommends the following steps to mitigate VTC hijacking threats:

• Do not make meetings or classrooms public:
  • In Zoom,…

More

Colin Zick, Co-Chair of Foley Hoag’s COVID-19 Task Force, recently appeared on the WGBH news program In It Together, where he spoke with Arun Rath about the steps companies and individuals can take to protect their sensitive data in an era of remote working and telehealth. Click here to listen to a full recording of the program. More

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) just completed a stakeholder security briefing.  This was recorded and should soon be available on the CISA website, but in the interim, some key takeaways are:

• We are in the “initiation phase” of the pandemic, meaning the worst is yet to come (the “acceleration phase”).
• Covid-19 has been found in 42 states.
• The presenters declined to comment on the likelihood of mandatory quarantines.…

More

Security experts nationwide warn that the United States should expect serious cyberattacks from Iran in the next few months. The anticipated attacks, retaliation for United States’ killing of Major General Qasem Soleimani, are likely to include as targets oil refineries and other energy infrastructure.  The specific targets, and whether the attacks will be state-sponsored and strategic or carried out by individuals or smaller groups, remain unknown.

One reason underlying the likelihood that Iran will ramp up its cyberattacks is that,… More

Editors’ Note:  This is the fifth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Our previous entry discussed the CCPA, energy, Brexit, and health privacy.  Next up:  trends in GDPR enforcement.

Out of all governmental agencies, state attorneys general are likely to have the greatest impact on privacy enforcement in 2020 for the average business. … More

On January 4, 2020, the US Department of Homeland Security posted at National Terrorism Advisory System Bulletin, in the wake of the killing of a senior Iranian military leader by a US drone.  That DHS advisory states:

The United States designated Iran a “State Sponsor of Terrorism” in 1984 and since then, Iran has actively engaged in or directed an array of violent and deadly acts against the United States and its citizens globally.… More

Foley Hoag partners Colin Zick and Janine Ladislaw joined Licata Risk Advisors for a discussion on how to improve awareness and understanding of a company’s key risk exposures and how to mitigate and insure them. Topics included privacy and data security law, cybersecurity risk threat vectors, preventing IP infringement claims, and more. Click here to download the materials. More

InfoTrax Systems, a Utah-based technology company, has agreed to implement a comprehensive data security program to settle Federal Trade Commission allegations that the company failed to put in place reasonable security safeguards, which allowed a hacker to access the personal information of a million consumers.  InfoTrax Systems, L.C., provides back-end operation services to multi-level marketers. This includes such services as compensation, inventory, orders, accounting, training,… More

As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More

What do pumpkin spice lattes and National Cybersecurity Awareness Month have in common?  Not much, other than both should be top of mind in October, but that doesn’t mean that it’s wrong to think about them both in August.

Held every October, National Cybersecurity Awareness Month is a collaborative effort between government and industry to ensure every American has the resources they need to stay safe and secure online while increasing the resilience of the Nation against cyber threats.  … More

Partner Colin Zick will speak at the “A Day at the Breach: Cybersecurity and Privacy for Your Business” event in Boston on August 14, 2019.

Description

Inadequate Cybersecurity processes can bring business operations to a halt, and cost thousands of dollars in litigation and lost revenue. This networking program will feature an expert panel discussion on recent trends in Cybersecurity and Privacy issues and best practices.… More

In early June, the Cyberspace Administration of China released for public comment new draft regulations applicable to the collection of personal information relating to children under 14 by online service providers.

The draft regulations share many of the same structures as those utilized by the Children’s Online Privacy Protection Act (“COPPA”) in the United States:

• online service operators will have to obtain parental consent based on a comprehensive disclosure about the collection,…

More

A new Massachusetts law toughens reporting requirements for companies and organizations hit by data security breaches and mandates requires free credit monitoring to affected consumers. Partner Colin Zick and counsel Chris Hart recently presented a webinar for Associated Industries of Massachusetts (AIM) that provides a big picture of the data privacy legal landscape, discusses real-world impacts of the new provisions and offers guidance on other upcoming changes such as the GDPR and the California Consumer Privacy Act (CCPA).… More

The California Consumer Privacy Act (“CCPA”) has been lauded as a “huge step forward” that could set a standard for other states and the federal government that enact increasingly robust data privacy legislation.  Indeed, some federal lawmakers view the law so favorably that they do not want future federal legislation to replace it. In the words of Rep. Jackie Speier (D-Calif.) to Politico: “California’s bill is the best.… More

Imagine this scenario:  you’ve had a productive and mutually advantageous ongoing contractual relationship of several years with another party.  You have built up quite a bit of trust over the years, and communicate regularly over email.  Your email communications include you receiving invoices and then confirming payment; your email messages might include a note about an upcoming shipment or provision of services, or even a note wishing the family well.… More

Bloomberg Law interviewed partner Colin Zick as part of a Special Report on how businesses are adjusting to recent data and privacy rules. Zick discusses why companies should be prepared to deal not only with GDPR requirements, but also a patchwork of state laws that may carry compliance requirements as well.

“We’re in the midst of a large public policy debate about what we’re going to do when it comes to data privacy laws,”… More

On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy. … More

Every company should expect that at some point it will experience a data breach. Whether as a result of hackers, disgruntled employees, or careless acts such as losing an unencrypted phone or laptop, data breaches may subject companies to liability and must be handled with speed and great care. What are the responsibilities of directors in preventing and addressing data breaches?

Without a doubt, directors must be generally aware of the data security risks facing the company and ensure that the company is prepared to manage those risks appropriately and has an incident response plan for a data breach.… More

Taking stock of the current privacy and security environment is critical. The legal world around data privacy continues to shift and the technical challenges to solving data security needs continue to increase in complexity.

Join Foley Hoag’s Chris Hart and Rapid7’s Jeremiah Dewey for a conversation about understanding and meeting today’s data privacy and security challenges. They will discuss the following:

• What does the current threat environment look like?…

More

Partner Colin Zick speaks to Bloomberg Law about how big law firms are expanding their state-focused practices to help clients deal with heavy state fines for alleged privacy violations.

Companies are turning to state-centric practices “because they see the threats from individual state enforcers,” Zick said. They want expertise from former officials, like former Massachusetts Attorney General Martha Coakley, who know the proper approach to limit enforcement risks,… More

Earlier this month, Federal Energy Regulatory Commission (“FERC”) Chairman Neil Chaterjee testified before the U.S. Senate Committee on Energy and Natural Resources on issues related to cybersecurity in the energy industry.

In his testimony, Chaterjee seemed to soften at least his messaging, if not his position, calling for increased mandatory oversight of cybersecurity for gas pipelines.  In a joint letter written last June,… More

Data breaches – always critically important to those with responsibility for storing, transporting and protecting electronic information – have become an all-consuming topic of late. Stories about data theft dominate political headlines, boardroom discussions, and family meetings around the dinner table.  They, of course, have also been the subject of government investigations and private litigation.

The current environment is not unlike other moments in our recent past that seemed to have captured the attention of Wall Street,… More

On January 10, 2019, Massachusetts Governor Charlie Baker signed a new law that amends its data breach reporting law, and requires credit reporting agencies such as Equifax to provide a free credit freeze to consumers.  The new law, “An Act Relative to Consumer Protection from Security Breaches,” also requires companies to offer up to three years of free credit monitoring to victims of a security breach,… More

Editors’ Note:  This is the seventh and last in our third annual series examining important trends in data privacy and cybersecurity during the new year.  Our previous entries were on political advertising, cryptocurrency, emerging threats, state law trends, comparing the GDPR with COPPA,… More

Editors’ Note:  This is the fourth in our third annual series examining important trends in data privacy and cybersecurity during the new year.  Our previous entries were on state law trends, comparing the GDPR with COPPA, and energy and security.  Up next:  cryptocurrency.

Predicting the future is always a bit of a mug’s game, given that today’s bold claims about what is coming next often end up being served as tomorrow’s “claim chowder,” to use John Gruber’s memorable phrase.… More

Article by James Swann

A recent hack of Obamacare enrollment records might result in a full-blown privacy investigation of the government agency that is responsible for the federal health-care exchange and serve as a wake-up call to the government.

The aftermath of the breach may be even more troubling than the breach itself, Colin Zick, with Foley Hoag in Boston, told Bloomberg Law.… More

On September 26, in the Securities and Exchange Commission’s (“SEC”) first enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), Voya Financial Advisors Inc. (“VFA”), an SEC-registered investment adviser and broker-dealer, has agreed to settle charges relating to failures in its cybersecurity policies and procedures concerning a cyber-intrusion that compromised thousands of customers’ personal information. VFA agreed to pay a $1 million penalty as well as retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.… More

In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict.   As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries.  … More

As noted recently in the Wall Street Journal, “New cybersecurity rules will give Chinese authorities sweeping powers to inspect companies’ information technology and access proprietary information—steps that are likely to deepen concerns among foreign businesses about their China operations.”  These regulations were issued pursuant to the Cybersecurity Law of the People’s Republic of China, which came into force on June 1, 2017.… More

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the Golden State’s landmark Consumer Privacy Act (“CCPA”). California enacted the CCPA in June after legislators reached a last-minute compromise with a group of privacy activists who would have put a more stringent data protection measure on the November ballot. Given the hasty enactment of the law,… More

In a recent decision from the District of Massachusetts, the alleged perpetrator of cyber-attacks against Wayside Youth and Family Support Network and Boston Children’s Hospital (“BCH”) failed in his attempt to assert a novel defense:  necessity.  In what most would view as a positive development, the court found that the defendant and alleged hacker did not “offer[] competent evidence that it was objectively reasonable to anticipate a causal relationship between the alleged cyber attack and the purported harm to be averted.”… More

On July 19, the Federal Energy Regulatory Commission (“FERC” or “Commission”), pursuant to its authority under section 215 of the Federal Power Act, issued a final rule directing the North American Electric Reliability Corporation (“NERC”) to develop modifications to NERC’s Reliability Standards as they relate to cyber security incidents. Issuance of the final rule is timely. A recent news article described hackers’ successful infiltration of the control rooms of multiple electric utilities.… More

It was my pleasure yesterday to speak at MedInnovation Boston 2018, and deliver a presentation on “The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability“.  With constantly evolving technology and the new GDPR legal framework. achieving interoperability seems harder than ever. More

It is the last day of Bio 2018 and I am attending a curiously titled session:  Is Biotechnology Drowning in Health Related Data?   The panel’s answer to that question is “no” — in fact, they all agreed there isn’t enough data yet, if we want to achieve “convergence”.  That’s the new buzz word:  convergence.  One speaker described it as “a better quantification of humanity.” … More

It took three days, but I finally found a panel at BIO 2018 that addressed the current challenges in privacy and security regarding health data.  This panel, Realizing the Potential of Clinical and Consumer Genomics, was focused on all the new genetic tests that are available (with more to come) and all the genetic data those tests are generating.  I was particularly impressed with the approach of Mindstrong Health to privacy and security,… More

I am attending BIO 2018 in Boston, just steps from our Boston office. Naturally, I was drawn to yesterday’s session on “Life Sciences Cyber Exposures and Risk Mitigation Considerations.” But I came away disappointed. First of all, the session was held in a small room and even then, it was only one-third full (maybe 30 people of the 16,000 attending BIO 2018 chose to attend).… More

It’s probably not going to change anything, but the Democratic National Committee has sued Russia (and members of the Russian establishment), members of the Trump campaign, and Wikileaks regard the 2016 election security breaches.  The DNC’s complaint includes almost every claim imaginable in response to a hacking incident.  If nothing else, it’s a good model for lawyers to crib from. More

Attorneys Colin Zick, Catherine Muyl and Marion Cavalier recently presented a webinar for MichBio U on what the EU’s  General Data Protection Regulation means for U.S. healthcare and life science companies. Click here to download the presentation. More

Reproduced with permission from Bloomberg Law: Health IT Law & Industry Report, (March 9, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By James Swann

Privacy and security concerns are mounting as Uber and Lyft break into the medical transportation space.

The two companies recently rolled out separate initiatives to drive patients to and from medical appointments,… More

There seems to be a new scientific study published every day—like this one that alleges that eating cheese every day might actually be healthy. Understandably, many of these studies fly under the radar — but two recently published reports regarding cybersecurity and health care should not. These two reports show that the healthcare industry in particular is continuing to struggle with cybersecurity issues. Understanding the vulnerabilities revealed by these studies is important to healthcare organizations attempting to reduce their cybersecurity risks and legal liabilities.… More

Partner Colin Zick was recently invited to speak to the Union College Computer Science Department’s Seminar Series. His presentation addressed the difficulties in implementing encryption in the workplace, the challenges to encryption from law enforcement, and the future of encryption in light of U.S. v. Microsoft and the coming GDPR.

Click here to download the presentation.… More

As the SEC has made clear on numerous occasions over the past year, cybersecurity will continue to be a major enforcement priority under the Commission’s new leadership.  As we have previously covered, one new area of potential enforcement activity that the SEC has warned about concerns the failure of public companies to make disclosures regarding material cyber events.  While the SEC had previously provided some guidance to publicly traded companies about when to disclose such events,… More

In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures,… More

Reproduced with permission from Bloomberg Law: Privacy & Data Security, (Jan. 18, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

By James Swann

The federal government has identified two new cyberthreats that put patients’ personal data at risk for exposure.

The threats, known as Spectre and Meltdown, exploit a vulnerability in many commercial computer chips underpinning health-care computer networks,… More

Recent federal legislation indicates a growing federal interest in blockchain as a potentially integral technology in cybersecurity systems. This comes on the heels of recent legislation in the New York Assembly also suggesting state level interest in blockchain.

On December 12th, H.R. 2810, the “National Defense Authorization Act for Fiscal Year 2018,” was signed into law. This law was, first and foremost,… More

As part of our Year in Preview series, we’ve recently covered both international cyberwar and the rise of cryptocurrency.  Just before the holidays, both of these topics collided in a decidedly unpleasant manner.

On December 19, the South Korean cryptocurrency exchange Youbit filed for bankruptcy, disclosing that it had just suffered a hack that made off with about one fifth of the bitcoins stored on its platform. … More

Recent legislation in the New York State Assembly reflects a growing governmental interest in blockchain as a  technology in cybersecurity systems.  On November 27, four different bills addressing blockchain technologies were introduced into the New York State Assembly. Most significant among these is Assembly Bill 8793, which would establish a task force to study and report on the potential implementation of blockchain technology in state record keeping,… More

The worldwide WannaCry attack from May 2017 has been officially blamed on North Korea.  In a press briefing publicly announcing the Administration’s declaration of North Korean culpability, the Department of Homeland Security continued to note the importance of public-private partnership in cyberdefense.  While such collaboration (and desire for collaboration) is not new, the press briefing did appear to call for a newfound emphasis on the need for the government to work together with private companies. … More

This week, the Advanced Cyber Security Center (ACSC) released a new report entitled, “Cyber Security Post Equifax: Perceptions and Priorities from Massachusetts Residents.” The report highlights the results from a survey of Massachusetts residents conducted to better understand public opinion on consumer and privacy matters and cyber security related to the Internet. Click here to read in full. More

Editors’ Note:  This is the third of a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Click here for our previous entry on HIPAA Compliance, and here for our entry on emerging security threats.  Up next:  trends in state enforcement.

This time last year, Donald Trump had just been elected,… More

Editors’ Note:  The following is an excerpt from an article published by SearchSecurity.  To read the full article, click here.  Registration required.

A data breach is a business crisis that can have enduring ramifications. While the discovery of a breach can initiate a drill — investigating what happened, remediating the security gaps, engaging law enforcement, and complying with state and federal notification laws —… More

As you enjoy the holiday weekend, and even some Cyber Monday shopping, keep in mind these online shopping tips from the FTC:

• Know the seller and the item. Put the company or product name in a search engine, along with “review,” “complaint,” or “scam.” Read the reviews. Be sure you can contact the seller if you have a dispute.
• Avoid clicking links in emails.…

More

Editors’ Note:  This is the second of a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Click here for our previous entry on HIPAA Compliance.  Up next:  trends in federal enforcement.

After one of Britain’s first victories in the Second World War, Winston Churchill declared that it was “perhaps, the end of the beginning” – a turning point in the war. … More

Partner Colin Zick will join ACSC Executive Director Michael Figueroa on a panel called “Surveillance, Security, and Privacy” at the 2017 ACSC Annual Conference on November 2. The session will examine challenges and considerations for utilizing advanced surveillance capabilities from multiple perspectives. Click here for details. More

Interesting viewpoints from this Journal of the American Medical Association article on FDA’s August 2017 notice re: cyber security issues with certain pacemakers, including:

• “This first widespread cybersecurity advisory involving a permanent medical device implant provides some insight into the ways in which the public experience with these types of medical device malfunctions might be improved.”
• “Communications regarding widely used products for which multiple vendors exist in the marketplace should serve as opportunities to highlight current FDA and industry standards,…

More

The new GDPR is much more detailed than the 1995 Directive. The GDPR has 99 articles, versus 34 in the Directive. And a few new key concepts clearly require new guidance.

Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”,… More

After repeated requests from various states, the Department of Homeland Security informed state governments which states had their election systems hacked or otherwise compromised during the 2016 general election.  According to reports, 21 states had their systems compromised in some fashion, although there is no evidence voting machines themselves were tampered with and in only some instances were computer systems actually penetrated.… More

As most are aware, the Massachusetts Attorney General has won the race to the courthouse and been the first regulator to file suit against Equifax.

• The 28 page complaint is summed up on paragraph 4:Consumers do not choose to give their private information to Equifax, and they do not have any reasonable manner of preventing Equifax from collecting, processing, using, or disclosing it. Equifax largely controls how,…

More

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.

As in-house counsel,… More

Kaspersky Lab, a Russian-owned cybersecurity company that sells anti-virus software and other kinds of IT systems security products, has been banned from use by the federal government.  This latest development comes by way of the Department of Homeland Security (DHS), which issued a directive requiring agencies to (1) identify Kaspersky products they are using, (2) create plans to stop using those products, and,… More

As we previously said, the Equifax breach affects approximately 143 million Americans. While the hackers stole data that includes addresses, birth dates, full names and Social Security numbers, there are steps you can take today that will protect you from an identity theft worst-case scenario.

Assume the hackers stole your data

While no one wants to be in a situation where personal information was exposed,… More

Me and 143 million of my closest friends may have had our personal information inappropriately accessed through a breach at Equifax–is there no safe haven anywhere?  Deferring that question for another day, here are the instructions from the FTC on how to check if your data is implicated.  The first time I tried, I could not access the site:

I waited an hour and went back to the site. … More

As we’ve blogged in the past, the cannabis industry is particularly susceptible to cyberattacks. With threats like a federal crackdown and workplace drug testing, customers have a vested interest in keeping their information private. Unfortunately, the newly-legal cannabis industry has limited experience with data security. While traditional industries have the benefit of expertise and mature regulatory oversight to foster best cybersecurity practices,… More

Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.… More

Christopher Painter, the State Department’s “Coordinator for Cyber Issues” stepped down on July 28, 2017. Described as the Department’s “weary soldier in America’s cyber war,” Painter traveled the globe advancing U.S. interests in cyberspace. His efforts included coordinating diplomacy in cyber security matters and launching “cyber dialogues” with foreign powers. The aim of those dialogues: reducing cyber threats ranging from D-DOS attacks to the theft of intellectual property.… More

Did someone steal your tax return?  You are not alone.  Indeed, the rise in tax-related identity theft has been well documented.  In 2015, the FTC reported a 50% increase in identity theft complaints.  A primary cause for that increase was the rise in tax-related identity theft.  In response to this increase, the IRS has made stopping identity theft and refund fraud a top priority.  From 2011-2014, the IRS reported that it stopped 19 million suspicious returns and protected more than $63 billion in fraudulent returns. … More

A mere month and a half after the WannaCry strain of ransomware caused major havoc in European and Asian countries, another major ransomware attack hit large institutions across Europe and the United States yesterday.  ‎Hardest hit has been Ukraine, which has seen major attacks on its government, banks, and power infrastructure.  Other European firms such as Germany’s Deutsche Bahn railways and Danish shipping firm A.P.… More

Cybersecurity has become an increasingly important issue for businesses and governments. Please join us as we host a Member Briefing with two premier experts in Cybersecurity.

Our speakers will provide insights into some of the most significant Cybersecurity challenges facing businesses and government today, including:

• Evolving threats to how businesses & government operate
• Insider threats and what that means for the future
• Importance of being prepared and protected
• The cost of cyber crime

Speakers

• Ed Davis,…

More

Emmanuel Macron won France’s presidential election in a landslide. He defeated his opponent, Marine Le Pen, by more than thirty percentage points. Such a high margin might lead one to think that his victory was inevitable. But on the eve of the election, it did not seem that way.

On the Friday before the Sunday election, hackers released a trove of documents they had stolen from the Macron campaign.… More

Presented by Foley Hoag LLP and PwC

A data breach is a business crisis. What should you do?

Learn first-hand as Foley Hoag LLP and PwC walk you through the practical and legal aspects of responding to a data security incident. From understanding how to be prepared to thinking through best practices, this webinar is designed to help you get a handle on an emergency that every business must confront.… More

The Computer Fraud and Abuse Act, or CFAA, is the federal “anti-hacking” statute (or sometimes referred to as a “computer trespass” statute).  In essence, the CFAA prohibits intentional unauthorized access into another computer, when such action directly accesses certain protected information or otherwise causes damage or loss.  The CFAA provides for both criminal penalties and civil causes of action.  The scope and meaning of access “without authorization”… More

First, the basic facts about the recent ransomware attack:

• US-CERT has received multiple reports of WannaCry ransomware infections in several countries around the world.
• Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.…

More

Those “in the know” in the cybersecurity world have been aware for more than a year of the threat posed by ransomware, a type of malware that locks victims’ access to their files until they pay a ransom.  But discussion of the threat was mostly localized to cybersecurity professionals, blogs like this one, and various guidances released by federal agencies during 2016. But ransomware may just have entered the general public consciousness in a big way.… More

The saga of the cyber security executive order continues; a new draft surfaced just last week. The first draft leaked in January, shortly before the President was expected to sign a cyber-security order. He abruptly postponed. Another draft leaked in February, but the President didn’t sign that one either. Perhaps this latest draft is the final one. “Rumors had it,” Paul Rosenzweig writes,… More

If you check your email this afternoon, you may see a message that someone you know is sharing something on Google Docs. You should verify that separately before opening, as there is a widespread phishing attempt going around using such an invitation. More

The Boston Bar Association’s inaugural Privacy and Cybersecurity Conference will be held on May 24.  The conference will bring together attorneys from private practice and in-house legal departments to network and discuss key topics and trends in privacy and cybersecurity.  This full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape,… More

First, a little background for those unfamiliar with the wonderful world of the International Trade Commission (ITC). 

Section 337 of the Tariff Act of 1930 (19 U.S.C. § 1337) prohibits “unfair methods of competition and unfair acts in the importation of articles … into the Unites States,” including the importation of articles that infringe various types of intellectual property.  Companies can file complaints in the ITC and administrative law judges oversee the investigations. … More

Legal marijuana is America’s fastest-growing industry. According to ArcView Market Research, cannabis revenue is expected to exceed $22 billion by 2020—nearly double that of the NFL. This past year, Colorado saw its sales reach over $1 billion. Here in Massachusetts, sales are expected to grow to $900 million within three years. Given the nationwide trend toward legalization (at the time of writing,… More

With cyber security threats on the rise, broker dealers must prioritize protection of electronic investor information.  What cyber security threats exist for broker dealers?  In its 2015 Report on Cyber Security Practices, the Financial Industry Regulatory Authority (FINRA) identified a wide range of actors that may attempt to compromise a broker dealers’ electronic records and functions: (1) cybercriminals seeking to steal; (2) nation states; (3) terrorist groups;… More

Partner Colin Zick sits on the advisory committee for Boston Bar Association’s inaugural Privacy & Cybersecurity Conference.

Held at the Courtyard Marriott in Boston on May 24 , this full-day conference will cover a wide range of topics from data breach response and litigation to compliance and transactional issues. Panelists will discuss new developments in the legal and regulatory landscape, while providing strategies to effectively prepare and respond to your client’s needs and offer insights into challenges and opportunities ahead.… More

(First in a continuing series.)

Active Cyber Defense, or ACD, is a broad category encompassing different kinds of actions that organizations can take to defend against breaches and cyberattacks. The operative word is “active.”  Conventional security against breaches tend to involve anti-virus software, encryption, and other perimeter defenses that act to prevent outsiders from coming in to your organization’s systems.  ACD tools are different, and involve anticipating,… More

Law360 recently announced the formation of its 2017 Privacy & Consumer Protection editorial advisory board, which includes partner Colin Zick..

The purpose of the editorial advisory board is to get feedback on Law360’s coverage and to gain insight from experts in the field on how best to shape future coverage.

Click here to see the full members of the board. More

The beginning of March, and a spell of unseasonably warm weather, graced the Northeast this week.  So too did New York’s first-in-the-nation cybersecurity regulations.  As we reported here in January, the initial launch of regulations was scuttled in response to industry concerns about scope and the inability to modify internal security measures by the established deadlines.  This resistance led New York’s Department of Financial Services (“DFS”) to slightly modify the regulations and delay implementation by one month.  … More

More than two weeks ago, the President postponed issuing an executive order on cybersecurity. Since then, we’ve had no word from the White House on when he intends to sign it. However, two purported drafts of the order have wound up on the Internet—the Washington Post published the first one,[1] and Lawfare, the second. Here are a few quick impressions on those drafts,… More

Should businesses be thought of as victims or bad actors when it comes to data breaches?  State attorneys general are embracing the idea that businesses are not necessarily adversaries in the struggle to protect sensitive consumer information.  Over the past several years state attorneys general have exerted efforts to both educate businesses as to their data privacy responsibilities, and collaborate with businesses in constructing more robust cybersecurity policies.  The spotlight now is on the Ohio Attorney General,… More

The Trump Administration has taken office at a time when cybersecurity has increasingly entered the public consciousness as a major challenge facing both the United States government and the business community.  Cyberattacks from both criminal and state actors have bedeviled businesses and roiled politics over the past year.  Against this backdrop, the administration has professed a strong commitment to cybersecurity, for instance designating former New York City Mayor Rudy Giuliani as a high-profile cybersecurity liaison to the private sector,… More

Who should you call when you suspect, or are certain of, a data breach?  Data breaches and other cybersecurity incidents have become of a fact of life.  Yahoo! recently disclosed that data for over one billion users was compromised in 2013.  Hundreds of incidents affecting millions of records were reported in 2016 alone.  So when — not if — your company suffers a breach,… More

The recent hack of the Democratic National Committee (DNC) and the United States’ subsequent decision to impose retaliatory sanctions against Russia poses an important question:  what does international law have to say about state-sponsored cyberattacks?  Unfortunately, and perhaps unsurprisingly, the answer is, very little.  While technological innovation races ahead at warp speed, international law has lagged behind.

There are no international treaties on cyber warfare.… More

In late December, New York’s Financial Services Superintendent Maria T. Vullo announced that the New York’s Department of Financial Services’ (“DFS”) new cybersecurity regulations would not go into effect on January 1, 2017 as initially planned.  These “first-in-the-nation” cybersecurity regulations were designed to help protect consumers and the financial system from the increasingly serious threat of cyberattacks.  However, the regulations faced opposition from the financial services companies and insurers that would have been subject to them.… More

Editor’s note:  This is the sixth and last in our end-of-year series.  See our previous posts on trade secrets, state regulation and law enforcement, HIPAA compliance, emerging threats, and energy.  See you in 2017!

Fragmentation in U.S. data privacy and cybersecurity law is both peril and promise.  The peril?  Businesses must contend with uncertainty and the costs associated with pleasing many regulatory masters. … More

Editor’s note:  This is the fifth in a continuing end-of-year series.  See our previous posts on trade secrets, state regulation and law enforcement, HIPAA compliance, and emerging threats.  Our last post will focus on federal regulation and law enforcement.

In 2015, a sophisticated cyberattack hit six of Ukraine’s energy providers simultaneously, causing a blackout for hundreds of thousands of Ukrainians.  … More

More information from HHS OCR about the phishing threat:

• On November 28, 2016, the HHS Office for Civil Rights issued a listserv announcement warning covered entities and their business associates about a phishing email that disguises itself as an official communication from the Department. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,…

More

Editor’s note:  This is the fourth in a continuing end-of-year series.  See our previous posts on trade secrets, state regulation and law enforcement, and HIPAA compliance.  Our last two posts will focus on the energy industry, and federal regulation and law enforcement.

In 2016, new and alarming cybersecurity threats emerged, raising concerns in government, the business world,… More

This alert just in from HHS OCR:

“It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.  The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy,… More

Editor’s Note:  This is the third in a continuing end-of-year series.  See our previous posts on trade secrets and state regulation and law enforcement.  Up next:  the changing threat landscape.

The year ahead promises to be a busy one for those with responsibility for HIPAA compliance, as the Office of Civil Rights (OCR), charged with enforcing HIPAA, continues to lean in to compliance initiatives and addresses new questions in the rapidly-evolving healthcare information technology environment.… More

Editor’s Note:  This is the second in a continuing end-of-year series.  Stay tuned for our next installment, discussing HIPAA compliance.

In the patchwork of state and federal law regulating the use and maintenance of personal confidential information, states play a significant role and can often be the most important regulator and law enforcement authority.  Recent events have signaled changes in how states interpret and enforce their data privacy standards —… More

Editor’s Note:  This is the first of an end-of-year series of posts examining coming trends in cybersecurity.  Posts will examine trends in state regulations, federal regulatory authority, the changing nature of the threat landscape, and HIPAA.  This post discusses a shift in concern from personal consumer information toward company trade secrets.

When it comes to the issue of data privacy and security, especially among lawyers, the discussion generally concerns personally identifiable information. … More

The U.S. Department of Homeland Security says that all employees need to know the signs of a cyber-attack, not just those who work in the IT field. This is increasingly important as more companies move business operations online. The Department stresses employees should make passwords complex, beware of phishing emails and report all suspicious activity to their company’s IT department.

Last week, attorney Chris Hart joined the Boston Business Journal’s Table of Experts program to provide insights into how to protect a company from a cyberattack,… More

In Case You Missed It:  The Federal Trade Commission has opened a public comment period to evaluate its Safeguards Rule (16. C.F.R. § 314.3).  Under the Gramm-Leach-Bliley Act (GLBA), which regulates financial institutions, the FTC is empowered to promulgate regulations governing how financial institutions secure consumer information.  The Safeguards Rule, as currently in force, does not have specific “how-to” requirements, but rather broad and flexible standards that financial institutions can use as guidelines in assessing risks to the data they maintain and in developing viable security plans. … More

In Case You Missed It: Sometimes data breaches crop-up in the most unlikely of places.  Last week we learned that the vendor that handles fish and hunting licenses for the states of Idaho, Oregon, and Washington was hacked.  The breach potentially exposed the following information for those with fishing or hunting licenses in those northwest states: names, addresses, driver’s license numbers, dates of birth, and the last four digits of Social Security numbers. … More

In Case You Missed It:  In a sign of the growing importance of cyber operations in warfare, the Obama administration plans to elevate the status of the Pentagon’s Cyber Command.  The U.S. Cyber Command, or USCYBERCOM, was created on June 23, 2009.  Its stated mission is to, among other things, “conduct full spectrum military cyberspace operations” to “ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”  Currently,… More

In Case You Missed It:  The Federal Trade Commission issued an opinion in the LabMD case, overturning an ALJ’s November 2015 decision holding that the FTC failed to meet its burden to prove that LabMD’s data security practices caused or were likely to cause substantial consumer injury.  (See this blog’s previous coverage of that decision here.)  The FTC’s complaint against the company concerned two different data privacy incidents that allegedly affected over 10,000 consumers. … More

Are you looking for an introduction to the European Union’s General Data Protection Regulation (GDPR)?  To find out when and how it’s going to impact you and your organization, listen to this quick 10 minute podcast with, Deborah Hurley. Deborah is an adjunct professor of the practice of computer science at Brown University, fellow at the Institute for Quantitative Social Science at Harvard University, and principal at Hurley Consulting.… More

In Case You Missed It: U.S. Major party platforms address cybersecurity.  The two major parties have released their 2016 election platforms, both of which include cybersecurity planks.  The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies.… More

On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.… More

This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch

The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.… More

The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players.  While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls.  Specifically,… More

In Case You Missed It:  The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners.  On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year. … More

In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach.  The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices.  A U.S. District Court ruling last week casts some doubt on that authority. … More

In Case You Missed It

The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising.  The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule. … More

Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so.  The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.… More

In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017.  The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account.  The definition is also expanded to include medical and health insurance information. … More

The FBI recently released an article discussing the spate of ransomware attacks on a variety of different entities, including hospitals. In the article, the FBI warned that ransomware attacks and the cybercriminals carrying them out are growing increasingly sophisticated.  The FBI opposes paying a ransom when hit by a ransomware attack, saying that doing do incentivizes more ransomware attacks, can inadvertently fund other illegal activity, and does not always result in the restoration of access. … More

In Case You Missed It:  The SEC fined Morgan Stanley $1 million for a 2014 data breach.  While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion.  The  SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. … More

In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week.  The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday.  And, like the Shield, the Umbrella has drawn its share of critics,… More

Hedge Fund Association Symposium in Boston

The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.

This event is complimentary for HFA members and friends of Foley Hoag. … More

Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.… More

How Can Companies Transfer Personal Data and Remain Compliant?

The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.

Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More

As litigators, we help clients resolve conflicts that have matured into disputes.  In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.

In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation.  In the area of cybersecurity,… More

Written by Elizabeth Snell | This article was originally published on HealthITSecurity.com 

The recently announced OCR HIPAA audits are not a cause for panic, according to experts, especially of organizations have proper documentation.

With the most recent round of OCR HIPAA audits announced just last month, many healthcare organizations are working to ensure that they are prepared should they be called for investigation.… More

After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.

The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies.  For example:

• data controllers (companies collecting and using personal information) will have a wide range of new obligations,…

More

After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield.  However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More

Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.”  What follows is a primer on ransomware and how to avoid being a target of it.

What is ransomware? 

Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files.… More

The content of the Privacy Shield was made public yesterday and today.

The new framework dedicated to the EU / US flow of personal data is in fact a combination of several documents issued by the US and the EU.

On the US side, we have a letter sent by the U.S. Secretary of Commerce Penny Pritzker on 23 February 2016 to EU Commissioner Věra Jourová including the “package of EU-US Privacy Shield materials” (of 128 pages) which is made of 6 letters issued by various US officials (see details at the end of this article).… More

As part of implementing the EU-US Privacy Shield, on February 24, 2016, President Obama signed the Judicial Redress Act (H.R.1428/S.1600). This law is designed to give EU citizens the right to sue the U.S. government for privacy violations.  In particular:

• It authorizes the U.S. Department of Justice to designate specific foreign countries or regional economic integration organizations (i.e., the EU) whose natural citizens may bring civil actions under the U.S.…

More

This article was originally published in Law360 with permission to reprint.

How much does the question of harm matter in cybersecurity law? The answer is: It depends on who is bringing the claim.

Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action.… More

On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).

CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.… More

Today, the Article 29 Working Party (the advisory body on data protection and privacy composed of representatives from the national data protection authorities of all EU Member States) was to meet in Brussels to discuss, amongst other things, the consequences of the European Court of Justice ruling of 6 October 2015 in the Maximilian Schrems case, with EU-US data flow at the top of its agenda.

However,… More

The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built.  On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD.  The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More

I had the pleasure of moderating an excellent panel at the Advanced Cyber Security Center’s annual conference on November 4. The panel’s topic for discussion was “What is Reasonable in Cybersecurity: Responsibility and Accountability for Cybersecurity Practices.” I learned a great deal from our excellent panelists, Gus Coldebella (Fish & Richardson), Deborah Hurley (Harvard University), and John Krebs (Federal Trade Commission), as well as from the audience’s questions.… More

By Catherine M. Anderson and Kate Leonard

The CFTC recently approved the National Futures Association’s interpretive notice (the “Cybersecurity Notice”) on the general requirements that members should implement for their information systems security programs (“ISSPs”), which includes cybersecurity guidance and ongoing testing and training obligations.

The Cybersecurity Notice will be effective March 1, 2016 and applies to futures commissions merchants, commodity trading advisors,… More

A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age:  The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks.  At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention,… More

The Cybersecurity and Information Sharing Act (S.754), or CISA, cleared an important hurdle on Thursday when the Senate voted 83-14 to end debate on several amendments to the bill.  CISA creates a cyberthreat information sharing system to, in the words of the bill, “improve cybersecurity in the United States.”  Specifically, as currently drafted, the bill requires various government actors and agencies (such as the Attorney General and the Department of Homeland Security) to create specific policies and regulations relating to the sharing of cyberthreat data from private entities and within government entities.  … More

This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:

Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.… More

By Martha Coakley and Jon Hurst

This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.

Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The  impact on businesses, government, and other targets is also real,… More

Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.

DOPPA goes further than its federal cousin,… More

Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week,… More

Cross-posting from our State Attorney General blog on the Conference of Western Attorneys General, where cyber security was on the agenda. More

This seminar was presented by Foley Hoag LLP and and a panel of industry experts on ISO 27018, the new international standard governing the processing and protection of personal information by public Cloud Service Providers (CSPs). Even though this new standard is voluntary, it is widely expected to become the benchmark for CSPs going forward.

As the first and only international privacy standard for the cloud,… More

The next MIT Enterprise Forum of Cambridge Innovation Series event, “Building a Proactive Cyber Defense Strategy, from Tools to Tactics,” will take place tomorrow, May 27, beginning at 5:30 p.m. at the Stata Center, 32 Vassar Street, Cambridge. There is a great line-up of speakers, including our own Christopher Hart. More

Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:

• Identify Your “Crown Jewels”: Before creating a cyber-incident response plan,…

More

By Catherine M. Anderson and Robert G. Sawyer

On April 28, 2015, the SEC’s Division of Investment Management (the “Division”) issued a Guidance Update regarding the SEC’s initiative to assess cybersecurity preparedness and threats in the securities industry, further highlighting this as an important area of focus for the SEC in its compliance initiatives.

The full text of the Guidance Update is available here.… More

am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance.  My presentation is here:  2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation.  It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance,… More

By Gwen Jaramillo and Shrutih V. Tewarie

As part of a series of measures aimed at increasing preparedness and defenses against international cyberattacks on U.S. industries and government agencies, on April 1, President Obama issued Executive Order No. 13694, authorizing the Treasury Department’s Office of Foreign Assets Control (OFAC) to sanction foreign individuals or entities committing such attacks. The new sanctions will allow the Treasury Department to block or freeze the assets of those outside the U.S.… More

We welcome this guest blog by Gene Fry, Compliance Officer, Scrypt, Inc.

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data. This means that any covered entity (CE) or business associate (BA) that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. The HIPAA Privacy Rule addresses the storage,… More

Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.

Here are five takeaways for companies large and small:

1. Companies are only as secure as their most vulnerable employee.…

More

As a follow up to our summary of the key takeaways from the White House’s first Summit on Cybersecurity and Consumer Protection, the centerpiece of which was President Obama’s signing of a new Executive Order, “Promoting Private Sector Cybersecurity Information Sharing,” what follows is an analysis of that Order.

What does the Order actually do?

The Order “promotes…encourages…and…allows” but does not require anything.… More

The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama.  The purpose of the summit:  to “bring[] together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.”  These stakeholders, a number of public and private sector leaders,… More

The SplashData list of worst passwords of 2014 was just published, and it looks very similar to the list in 2013, 2012, 2011, etc.:

Rank
Password
Change from 2013

1
123456
No Change

2
password
No Change

3
12345
Up 17

4
12345678
Down 1

5
qwerty
Down 1

6
123456789
No Change

7
1234
Up 9

8
baseball
New

9
dragon
New

10
football
New

11
1234567
Down 4

12
monkey
Up 5

13
letmein
Up 1

14
abc123
Down 9

15
111111
Down 8

16
mustang
New

17
access
New

18
shadow
Unchanged

19
master
New

20
michael
New

21
superman
New

22
696969
New

23
123123
Down 12

24
batman
New

25
trustno1
Down 1

Sadly,… More

With every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars.… More

I’ve looked at clouds from both sides now
From up and down, and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all

 Joni Mitchell, “Both Sides Now”

Until recently, many cloud users felt like Joni Mitchell in her classic song, “Both Sides Now.” No matter how you looked at clouds,… More

Last week, the HHS Office of Inspector General released a damning report on FDA’s data security:  “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.”  In short, they were vulnerable:

Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network,… More

The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.

Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system.… More

Last week, the FTC announced approval of a new Safe Harbor Program under the Children’s Online Privacy Protection Act (COPPA), called iKeepSafe. The program was created by the Internet Keep Safe Coalition, a nonprofit organization that describes its goal as the “creation of positive resources for parents, educators and policymakers who teach youths how to use new media devices and platforms in safe and healthy ways.”

The COPPA Rule affords some flexibility in compliance through use of a safe harbor provision,… More

Picking up on the SEC’s initiative to assess cybersecurity preparedness discussed here previously, state securities regulators in Massachusetts and Illinois sent to investment advisors registered in their respective states a survey on their cybersecurity practices.

The Massachusetts surveys were sent on June 3 and a response is due on June 24. William F. Galvin, Secretary of the Commonwealth, whose jurisdiction includes the Massachusetts Securities Division,… More

To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).… More

Our colleagues Catherine M. Anderson and Jennifer M. Macarchuk have summarized the recent SEC Risk Alert regarding its initiative to assess cybersecurity preparedness and threats in the securities industry, including examinations of more than 50 SEC-registered investment advisers and broker-dealers.

The full text of the Risk Alert is available here.

SEC-registered investment advisers should review the Risk Alert,… More

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later:

By Nicole Vincent Fleming

April 11, 2014 –… More

Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC).  On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants.  The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.… More

This is a cross-post from our sister blog, Massachusetts Noncompete Law:

Judge Peter M. Lauriat of the Massachusetts Superior Court decided late last year that an employee who takes confidential documents from her employer’s electronic document system to use in a discrimination lawsuit against her employer is not liable to the employer under the Computer Fraud and Abuse Act (CFAA), especially when the employer knew about the lawsuit but nonetheless did not restrict the employee’s access to those documents while she was working for the employer. … More

On January 21, 2014, U.S. District Judge Anthony Battaglia issued a 97 page orderthat dismissed the majority of the claims in a putative class action against various Sony entities, claims relating to the 2011 hack into the computer network system that Sony used to provide online gaming and Internet connectivity through PSP handhelds and PS3 game consoles.

According to Judge Battaglia, “The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence;… More

Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:

• Legislation:  In the past, we have seen major breaches drive legislative change.  But now that most states have data security statutes, it seems unlikely that much will happen at the state level.  And action at the federal level has been long promised, but remains a distant vision.…

More

In a 68 page order issued earlier today, a federal district court judge ruled in favor of five plaintiffs challenging the NSA’s collection of phone record information, finding that the plaintiffs:

• “have standing to challenge the constitutionality of the Government’s bulk collection and querying of phone records metadata”;
• “have demonstrated a substantial likelihood of success on the merits of their Fourth Amendment claim”;…

More

Recent news of government monitoring of phone calls and emails, both within the U.S. and abroad, has caused some to reexamine their technological companions.  Many are beginning to ask, when highly confidential and sensitive information is being discussed, should our seemingly indispensable technology be checked at the door?

This month, the British government began banning the presence of iPads at certain Cabinet meetings over concerns that the devices could contain viruses that would allow third parties to take control of the microphone and transmit recorded audio. … More

Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday.  The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button.  As expected, Apple’s use of biometric authentication has raised a number of security and privacy concerns among the public. … More

On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.”  The Order has two key components.

First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.

Second, the National Institute of Standards and Technology (“NIST”),… More

Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the hands of the Department of Homeland Security. Under the Order, the government will also be identifying baseline data and systems requirements for the government to allow the exchange of information and intelligence,… More

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”

The Pentagon’s plan would create three types of forces under the Cyber Command:

• “national mission forces” to protect computer systems that undergird electrical grids,…

More

A recent article in The Economist questions whether it is safe and secure to trust a company’s computer network to a Chinese company. The specific concern in that The Economist article related to “a Chinese company with connections to the Chinese government and the People’s Liberation Army (PLA)” that would be providing services inside the corporate firewall.  An unnamed former member of the U.S. Joint Chief of Staffs minced no words about this: “We’d be crazy to let [that Chinese company] on our networks,… More

The Obama Administration officially put its weight behind Sen. Lieberman’s Cybersecurity Act of 2012, with the issuance of the following Statement of Administration Policy:

STATEMENT OF ADMINISTRATION POLICY

S. 3414 – Cybersecurity Act of 2012

(Sen. Lieberman, I-CT, and 4 cosponsors)

The Administration strongly supports Senate passage of S. 3414, the Cybersecurity Act of 2012. While lacking some of the key provisions of earlier bills,… More

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.

On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber threat information to private sector organizations,… More

Interesting article in Forbes, "The Zero-Day Salesmen," about "government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets." More

What do cyberattackers want?  According to a recent article in the Wall Street Journal, it depends.  And the most dangerous ones are the ones that really know what they want:  the Advanced Persistent Threat (APT).  They APT isn’t easily defined, but think of APTs as professional thieves, going after high-value targets and using sophisticated techniques.  They are Thomas Crown to the every Eddie Coynes of the world. … More

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one:

The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple.… More

Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces?  A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition of assets.

Apparently Nortel found and investigated the breach in question,… More

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice.

The individual worked as an information technology specialist for a perinatal medical practice in Atlanta.  He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building.  He then used his home computer to hack into his former employer’s patient database. … More

In its recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the Office of Civil Rights of the Department of Health and Human Services, we see confirmation of certain trends– bigger breaches and breaches involving theft of electronic media:

Between January 1, 2010 and December 31, 2010, breaches involving 500 or more individuals also made up less than one percent of reports,… More

Interesting Wall Street Journal article about rival banks joining forces to beat cyber crime.   Sounds a lot like the Advanced Cyber Security Center. More

As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.… More

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."

                                                                     *  *  *

No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud. … More

Interesting article in Friday’s Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government.  Perhaps the best part of the article is the citation of statistics from Symantec’s annual Internet Security Threat Report:  Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:

• 2002:  20,254 updates
• 2003:  19,159 updates
• 2004:  74,981 updates
• 2005:  113,081 updates
• 2006:  167,069 updates
• 2007:  708,742 updates
• 2008:  1,691,323 updates
• 2009:  2,895,802 updates
• 2010:  10,000,000 updates

More

With an inflammatory title like “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence Executive’s “Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” is tough to ignore.

The Report’s conclusions are equally notable for their candor about the recent actions of the Chinese and Russian governments:

• “Chinese actors are the world’s most active and persistent perpetrators of economic espionage.…

More

cyber-security “Advanced Cyber Security Center”

There is an interesting article in this week’s Boston Business Journal on venture capital in the data security space: "Securing profits: Venture capitalists betting online security will be big money-maker." More

I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:

Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,”… More

In a story in the October 17 online edition of the New York Times, it was reported that the United States considered engaging in cyber-warfare against Libya early in the campaign to unseat Colonel Qaddafi. 

What seems clear is that this was not a prize worth the price of the precedent such a cyber-attack would create, particularly as it would open the United States to similar,… More

On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2:  Cybersecurity.
This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  It follows Chairman Schapiro’s June 2011 letter to Senator Rockefeller on the subject. More

It’s a pretty technical read, but this recent Microsoft report, "Sex, Lies and Cyber-crime Surveys" by Dinei Florencio and Cormac Herley tries to support an interesting hypothesis:  cyber-crime surveys that suggest huge losses from hacking and phishing aren’t reliable.  Here’s an excerpt of their thinking:

First, [cyber-crime] losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses.… More

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech:

Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government,… More

I just completed a webinar for the Association of Corporate Counsel, with Ed Palmieri of Facebook, discussing "What Every In-House Counsel Needs to Know About Data Security and Privacy."  The program slides can be found at this link. More

Interesting article in the recent Economist on the battles within the cyber underground.  Take a look at some of the bigger players in this space:  Anonymous, and its threat to "kill Facebook" and LulzSec.  They present a pretty scary image of our near future. More

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. … More

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:

• Epsilon: breach of customer email addresses;
• RSA: compromise of security tokens (possibly impacting Lockheed Martin);…

More

Wondering what your company might be able to do at the local level to help fight cybercrime? There are a growing number of public-private collaborations that are trying to get ahead of the bad guys.

One is the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).  The ACSC is a collaborative, cross-sector research facility working to address critical and sophisticated cyber security challenges.… More

As we have noted in the past, there seems to be an ongoing cyber war between North and South Korea.  The latest salvo in that skirmish was apparently fired last month, in a April 12 cyberattack on Nonghyup Bank, which is alleged to have been orchestrated by North Korea. More

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy —
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers: 

• “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,”…

More

InformationWeek has published an interesting Analytics Brief on "Information Security in the Age of WikiLeaks."  (Subscription required.)  The brief discusses the following subjects:

• Could a Major Security Breach Be on the Horizon?
• The Smartphone Dilemma
• What Elements Are Currently Covered in Your Organization’s Security Awareness Program?
• Security Budgets Fare Well
• Implementing Risk Management Disciplines
• Do You Really Know Who Your Friends Are?…

More

On April 15, the White House formally released its National Strategy for Trusted Identities in Cyberspace. As we noted earlier, the “trusted identity” concept is intended to allow the public and private sectors to collaborate in order to raise the level of trust associated with the exposure of the identities of individuals, organizations, networks, services and devices in online transactions:

The goal of NSTIC is to create an “Identity Ecosystem”… More

The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests,… More

In NASA v. Nelson, decided today by the U.S. Supreme Court, the high court rejected a challenge to “a section of a form questionnaire that asks employees about treatment or counseling for recent illegal-drug use . . .  [and] to certain open-ended questions on a form sent to employees’ designated references.”

This particular challenge came from 28 employees of the Jet Propulsion Laboratory (“JPL”).  JPL is staffed exclusively by contract employees. … More

If you got a new smartphone over the holidays, you’ve probably figured out how to use it by now.  The next thing to worry about is security.  The good news is that wireless providers are working to fortify their phones against attacks, as explained in this Wall Street Journal article.

There are some personal actions you should consider as well:

1. Set a password and make it a strong one.…

More

Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9.  In particular, Microsoft promises that:

1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

Together with the FTC’s jump into the tracking fray last week,… More

The following item was posted recently on Foley Hoag’s Corporate Social Responsibility and the Law blog, and we thought it would be of interest to our readers. Companies seeking to develop privacy policies that both comply with national laws and respect internationally recognized human rights often face difficult challenges, especially when confronted with specific host government requests. All companies concerned with the human rights implications of their activities are advised to assess the sufficiency of existing policies as well as the company’s capacity to identify and manage potentially challenging scenarios.… More

In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security."  This tension is not limited to that context, however.  Nearly every workplace that uses email faces a similar tension between open access and secure communications.  And this debate splits people.  An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.  … More

In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network. The details of this decision are instructive for those still looking at questions of network privacy and security.

This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon.… More

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports].  The highlights of the survey were announced in PGP’s press release.  Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009,… More

Last week was a tough week for Albert Gonzalez, the so-called "leader of the largest hacking and identity theft ring ever prosecuted by the U.S. government."  Gonzalez received a sentence of 20 years of imprisonment in two separate federal cases against him.  The hacker, known variously as "segvec," "soupnazi" and "j4guar17" pled guilty in the New Jersey and Massachusetts cases for his role as mastermind of the two largest financial data breaches ever,… More

Today, the Internet Crime Complaint Center (IC3), a federal organization run as a partnership between the FBI and National White Collar Crime Center, released its 2009 Internet Crime Report (.pdf).  Highlights include:

• IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year.
• The dollar loss caused by incidents reported to IC3 increased more than 100% to $559.7 million.…

More

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data. 

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention,… More

1.  Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn 

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities.  On January 14, 2010, commuters on Moscow’s Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography.  The video, as well as the resulting traffic problems,… More

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas.  The defendant agreed to the fine, which amounts to $875 per box,… More

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites. … More

Law firms holding sensitive data for their clients are the targets of a new round of organized cyberattacks, federal authorities cautioned this week.  On Tuesday, the FBI warned that U.S. law firms and public relations firms were being targeted by hackers using “spear phishing” attacks — personalized emails drafted to look like they come from a trusted or reputable source and designed to induce the reader to click an attachment or link that will infect his or her computer with malicious software. … More

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than first thought.

Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.

In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General’s Cyber Crime Initiative.  Under the Initiative, the Attorney General’s office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing program in Massachusetts" for the Massachusetts law inforcement community.… More

In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind.  Last week, Gonzalez pleaded guilty to nineteen charges relating to his role in the TJX breach (see Gonzalez’s 2008 indictment (.pdf) for list of the various charges).… More

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released,… More

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.”  The NCUA, which regulates federally insured credit unions,… More

According to a press release from the United States Attorney’s Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1"… More

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. … More

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e.,… More

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking.   Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level." … More

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter’s internal company documents.  The hacker, who goes by the handle “Hacker Croll,” has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called “Final Tweet”… More

On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is,… More

This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief.

In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of  “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups.  Consumers’ concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled,… More

An appellate court in Ohio was recently called upon to analyze that state’s cybercrime statute, OCR Ann. §2913.04, which criminalizes unauthorized access to protected computers.  In Ohio v. Wolf the court held that a city employee who was using a city computer during work hours to view pornography, visit adult “dating” websites, and solicit sexual activity, had exceeded his authorized access to the computer and was guilty of the felony of “unauthorized use of property;… More

Wikileaks is reported to have published a copy of the ransom note (please pardon the grammar and language in the original): "I have your [expletive] in *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions.  Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁 For $10 million, I will gladly send along the password." … More

Coming on the heels of recent cyberespionage news, the Wall Street Journal reported today on Pentagon plans to create a new military command focused on cyberwarfare.  The new command will coordinate both offensive and defensive cyberwarfare efforts, focusing, in the latter case, on assisting the National Security Agency (NSA) and the Department of Homeland Security’s National Cyber Security Division (NCSD), the lead agency for domestic cybersecurity efforts.… More

In February, Senator John Cornyn (R-Tx.) and Congressman Lamar Smith (R-Tx.) introduced the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth ("SAFETY") Act of 2009 (S. 436, H.R. 1076), which contains a proivision that would require Internet Service Providers (ISPs) to keep subscriber data for "at least" two years.  Specifically, Section 5 of the bill requires that ISPs retain "all records or other information pertaining to the identity of a user of a temporarily assigned network address."… More

According to a recent report from the Wall Street Journal, cyberspies from China, Russia and other countries have penetrated into the U.S. electrical grid and left behind software that could disrupt the system.  According to officials, the spies have not actually damaged the grid or any other key infrastructure, but appear to have been attempting to navigate the electrical system.  More importantly, the intruders could attempt to damage the system during a war or other national security crisis.… More

As I noted a few weeks ago, Senators Jay Rockefeller (D-W.Va.), Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) were drafting new cybersecurity legislation.  Last week the Senators introduced two bills.  The first, S.778 (text of the bill not yet available), would establish an Office of National Security Advisor within the Executive Office of the President.  The second, S.773 (text of the bill not yet available), entitled the Cybersecurity Act of 2009, gives the President the power to limit or shut down Internet traffic to and from any federal government or United States infrastructure network. … More

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos. … More

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players,… More

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers,… More

Senators Jay Rockefeller (D-W.Va.), Chairman of the Senate Commerce, Science and Transportation Committee, Olympia Snowe (R-Maine) and Bill Nelson (D-Fla.) are drafting cybersecurity legislation that would establish a permanent national security czar reporting directly to the White House, according to a recent announcement from Senator Nelson and other reports.  The proposed legislation would also

• require intelligence and Homeland Security officials to perform vulnerability assessments;…

More

As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.… More