Data Breach

Subscribe to Data Breach

If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook.  As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents

In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to

Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling:
Continue Reading Court Orders Disclosure of Capital One’s Incident Report

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has

Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from

For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”

These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.

With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.

Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]

In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]

The CSF can be found here: https://www.nist.gov/cyberframework.

Continue Reading Achieving Industry Standards

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.

Continue Reading HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.