Data breaches are on the rise.  So are the lawsuits that follow.  This has led to an environment where cyber-forensics service providers are more important than ever.  Clients seeking these services, however, often do so after becoming the unwilling victims of a data breach.  And those circumstances create uncertainty for protecting — either as attorney-client

If you manage a company that collects and otherwise processes personal data (which is just about every company, these days), you may need to protect your own pocketbook.  As governments across the globe continue to enact and enforce data privacy, data protection, and cybersecurity laws, data becomes more readily available, and the volume of incidents

In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not

Is your business using or thinking of using facial recognition technology for activities in Portland, Oregon? Think again.

That’s the message to businesses operating in Portland in a new ordinance that broadly bans the use of facial recognition technology in the city, subject to certain exceptions. The ordinance, which took effect January 1, 2021, restricts private businesses from using automated or semi-automated processes to identify an individual by comparing an image of a person captured through a camera with images of multiple individuals in a database. Due to the expansive language contained in the final version of the ordinance, routine business practices used to support or improve operations are no longer permitted. For example, retailers may have previously used software that compares surveillance video images of individuals as they enter a store with a cloud-based photo database to identify suspected shoplifters. The ordinance now prohibits use of this software.

The law also has teeth. It creates a private right of action, statutory damages of $1,000 per day for each violation, and allows for recovery of attorneys’ fees. Similar to other biometric privacy laws, this ordinance has the potential to trigger a wave of costly class action litigation and upend business operations. This ordinance creates significant risk with use of facial recognition technology, and organizations should proceed with this awareness. The law also raises numerous unanswered questions, as noted below.
Continue Reading Portland’s New Facial Recognition Ban Increases Litigation Risk, Creates Uncertainty

Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.

As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.

Blackbaud

In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3]  In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.

On August 12, the first of many lawsuits was filed against Blackbaud.  Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.

The five years prior to the attack are telling.  In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.

Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4]
Continue Reading Digital Transformation – Cybersecurity Lessons from Recent Lawsuits

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

Continue Reading Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised files and caused widespread email outages.  The virus appeared in inboxes as fake messages with infected attachments:

Since then, scores of novel viruses have been deployed as destructive malware.  The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages.  As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape.
Continue Reading Is Your Incident Response Plan Ready for Novel Computer Viruses?

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has