Data breaches are on the rise. So are the lawsuits that follow. This has led to an environment where cyber-forensics service providers are more important than ever. Clients seeking these services, however, often do so after becoming the unwilling victims of a data breach. And those circumstances create uncertainty for protecting — either as attorney-client
Cyber Attack
Digital Transformation – Cybersecurity Lessons from Recent Lawsuits
Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.
As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.
Blackbaud
In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3] In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.
On August 12, the first of many lawsuits was filed against Blackbaud. Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.
The five years prior to the attack are telling. In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.
Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4]
Continue Reading Digital Transformation – Cybersecurity Lessons from Recent Lawsuits
Digital Transformation – Regulator Issues $80 Million Penalty for Not Doing It Right
Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive. The main driver of this process is often data. For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.
While executing digital transformation the right way can lead to…
Is Your Incident Response Plan Ready for Novel Computer Viruses?
A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1] In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems. Within days, millions of computers were infected as the virus compromised files and caused widespread email outages. The virus appeared in inboxes as fake messages with infected attachments:
Since then, scores of novel viruses have been deployed as destructive malware. The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages. As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape.
Continue Reading Is Your Incident Response Plan Ready for Novel Computer Viruses?
Soon, All Ransomware Attacks May Be Data Breaches
As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has…
Your Security Program Must Think Beyond Malware Protection
According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware…
Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry
In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.
Used primarily as ’banking…
Cyber Risk Update for Construction Companies
Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from…
Achieving Industry Standards
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”
These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.
With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.
Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]
In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:
[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]
The CSF can be found here: https://www.nist.gov/cyberframework.Continue Reading Achieving Industry Standards
HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes
In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.
Continue Reading HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes
New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)
Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information. Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA:
https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
This does not mean we should stop using Two-Factor Authentication (2FA). We should still use…