Tag: cybersecurity

Don’t let Cyber Insurance be Your Cybersecurity Plan

By Jon Washburn, Hunter Ferguson and Jeff Jones on Posted in Announcements, Cyber Crime, Data Breach, Disaster Recovery, Insurance Coverage, Security
In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not … Continue Reading

Digital Transformation – Cybersecurity Lessons from Recent Lawsuits

By Romaine Marshall, Jon Washburn and Jose Abarca on Posted in Cyber Attack, Privacy, Security
Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly. As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General … Continue Reading

Securing Online Shopping has Never Been More Important

By Jon Washburn and Fred Struve on Posted in COVID-19, Data Breach, Internet, Security, Software
In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 … Continue Reading

Is Your Incident Response Plan Ready for Novel Computer Viruses?

By Romaine Marshall and Jose Abarca on Posted in Cyber Attack, Phishing, Security
A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised … Continue Reading

Soon, All Ransomware Attacks May Be Data Breaches

By Jon Washburn and Romaine Marshall on Posted in Cyber Attack, Cyber Crime, Data Breach, Privacy, Security
As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has … Continue Reading

Your Security Program Must Think Beyond Malware Protection

By Jon Washburn on Posted in Cyber Attack, Security
According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks  where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions.  … Continue Reading

Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot

By Romaine Marshall on Posted in Cyber Crime, ePrivacy, Law/Regulation Update, Privacy, Security
Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2] But several states provide legal safe harbors to organizations with written cybersecurity programs. … Continue Reading

NIST Releases a Standard for Privacy

By Romaine Marshall on Posted in ePrivacy, Privacy, Security
As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities. What the PF Does The … Continue Reading

Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

By Jon Washburn on Posted in Announcements, Cyber Attack, Cyber Crime, HIPAA, Security
In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge. Used primarily as ’banking Trojans” … Continue Reading

Cyber Risk Update for Construction Companies

By Tamara Boeck and Jon Washburn on Posted in Cyber Attack, Cyber Crime, Data Breach, Fraud, Privacy
Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from … Continue Reading

Achieving Industry Standards

By Romaine Marshall on Posted in Cyber Attack, Cyber Crime, Data Breach, Privacy, Security
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?” These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a … Continue Reading

Privacy Attorney Dustin Berger Achieves (ISC)2 CISSP Certification

By Hunter Ferguson on Posted in Announcements
Stoel Rives LLP is pleased to announce that information privacy & data security attorney Dustin Berger has been recognized as an (ISC)2 Certified Information Systems Security Professional (CISSP). This certification demonstrates an individual’s understanding of cybersecurity strategy and its hands-on implementation. It also confirms that the holder has the advanced knowledge and technical skills to … Continue Reading

New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)

By Jon Washburn on Posted in Cyber Attack, Cyber Crime, Phishing, Security, Software
Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information.  Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA: https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/ This does not mean we should stop using Two-Factor Authentication (2FA). We should still use … Continue Reading

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

By Sarah Bimber on Posted in Cyber Attack, Data Breach, HIPAA, Regulators, Security
The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement … Continue Reading

When was the last time you looked at RDP access?

By Jon Washburn on Posted in Cyber Attack, Cyber Crime, Data Breach, Security
A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down. In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible … Continue Reading

New threat targeting old medical imaging equipment

By Jon Washburn on Posted in Cyber Attack, Cyber Crime, HIPAA, Industrial Control Systems, Security
Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use: https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ While this group seems to be limiting their actions to reconnaissance and compromising … Continue Reading
LexBlog