The Cybersecurity & Infrastructure Security Agency (“CISA”) has just released CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides proactive steps organizations can take to assess and mitigate risks from information manipulation. Malicious actors (i.e., Russia) may use tactics—such as misinformation, disinformation, and malinformation—to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors. … More
Category Archives: Risk management
Data Privacy Day Reflections – Compliance, Governance, Ethics (and AI)
January 28 is Data Privacy Day, and on this 14th annual Data Privacy Day, I find myself reflecting on the question of data ethics.
Far from being an academic concept, “data ethics” presents a model for data management with real practical implications for organizations. (I should note that I am focused here on personal data.) To understand what the concept might entail, let’s take a step back and talk about two other models for data management: compliance and governance.… More
The SolarWinds Orion Hack: The Basics You Need to Know
By now, you have heard about the SolarWinds Orion hack. But what do you need to know about it?
First, if you want or need the technical details, the Cybersecurity and Infrastructure Security Agency (CISA) has them. In particular, on December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices.… More
CISA Issues Ransomware Alert for Activity Targeting the Healthcare and Public Health Sectors
On October 28, 2020, a joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures used by cybercriminals against targets in the healthcare and public health sectors to infect their systems with Ryuk ransomware for financial gain.
Best Privacy and Security Practices, COVID-19 Edition (Hint: Fewer Differences than You Might Think)
Businesses scrambling to move their workforces into remote environments are rightly concerned about the smooth and productive flow of information, including question about whether there will be any government support for building out a remote infrastructure, and what limitations are there on the kinds of information employers may obtain or share to minimize the health impacts on their employees (both questions, among many others, that Foley Hoag’s COVID-19 Task Force was built to help answer). … More
FBI Warns of Teleconferencing and Online Classroom Hijacking
If you are among the many people turning to video-teleconferencing (VTC) to stay connected during the COVID-19 pandemic, you need to protect yourself from “Zoom-bombing” – the entrance of uninvited individuals into your VTC. The FBI has received multiple reports of conferences being disrupted by offensive images and/or threatening language.
The FBI recommends the following steps to mitigate VTC hijacking threats:
- Do not make meetings or classrooms public:
- In Zoom,…
Presentation: Risk Awareness and Management for Life Science Companies
Foley Hoag partners Colin Zick and Janine Ladislaw joined Licata Risk Advisors for a discussion on how to improve awareness and understanding of a company’s key risk exposures and how to mitigate and insure them. Topics included privacy and data security law, cybersecurity risk threat vectors, preventing IP infringement claims, and more. Click here to download the materials. More
FERC and NERC Talk Grid Resilience and Cybersecurity
On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy. … More
Is Your Company’s Board of Directors Cyber Savvy?
Every company should expect that at some point it will experience a data breach. Whether as a result of hackers, disgruntled employees, or careless acts such as losing an unencrypted phone or laptop, data breaches may subject companies to liability and must be handled with speed and great care. What are the responsibilities of directors in preventing and addressing data breaches?
Without a doubt, directors must be generally aware of the data security risks facing the company and ensure that the company is prepared to manage those risks appropriately and has an incident response plan for a data breach.… More
Minimizing Litigation Risk: What Cybersecurity Auditors Can Learn From Their Financial Statement Auditor Analogues
Data breaches – always critically important to those with responsibility for storing, transporting and protecting electronic information – have become an all-consuming topic of late. Stories about data theft dominate political headlines, boardroom discussions, and family meetings around the dinner table. They, of course, have also been the subject of government investigations and private litigation.
The current environment is not unlike other moments in our recent past that seemed to have captured the attention of Wall Street,… More
Cyber Insurance: Prevalent But By No Means Ubiquitous
A recent survey from the credit score company FICO has some interesting numbers on the prevalence of cyber insurance in the US.
- 50% of US companies have no cyber insurance.
- 74% of US healthcare companies have no cyber insurance.
- 27% of US companies say they have no future plans to acquire cyber insurance.
Today, you can expect the more traditional types of business insurance,… More