Join me, Stoel Rives’ Chief Information Security Officer (and Global Privacy & Security Blog® author) Jon Washburn, for a panel discussion in which I will partner with top industry CISOs and CIOs to address the most pressing cybersecurity challenges of 2021. Register now for free for the Seattle & Portland Virtual Cybersecurity Summit
Jon Washburn manages the firm’s information governance, compliance, and ISO 27001-certified information security programs and is a cybersecurity and technology resource for multiple Stoel Rives practice teams.
Click here for Jon Washburn's full bio.
In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not…
Digital transformation, the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.” But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.
As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.
In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack. In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.
On August 12, the first of many lawsuits was filed against Blackbaud. Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.
The five years prior to the attack are telling. In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.
Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.
Continue Reading Digital Transformation – Cybersecurity Lessons from Recent Lawsuits
Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive. The main driver of this process is often data. For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.
While executing digital transformation the right way can lead to…
In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19…
March 2020 will long be remembered as the month and year of en masse shutdowns. But the pandemic has done little if anything to slow new cybersecurity and data privacy laws. As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).
California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General
After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval. The final text of the regulations demonstrates how granular enforcement could be. Here are five examples:
- A business must provide at least two methods for consumers to send requests for deletion of their information.
- A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
- A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
- A business must have a documented policy for verifying the identity of a person making a request related to their personal information.
Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of…
As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has…
According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware…
As states fill the legal void for consumer privacy rights, a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities.
What the PF Does…
In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.
Used primarily as ’banking…