Are Third-Party Vendors the Weakest Link in your Cyber Security Chain?

So, you’ve invested in a top-rate data security system, and hired the best CISO (Chief Information Security Officer) imaginable, but have you ever audited the security of the computers used by your attorneys and accountants…to whom you disclose your company’s most confidential and sensitive information? Well, you should. As recently reported in the Wall Street Journal, today’s largest financial institutions are now putting law firms to the test when it comes to the security of the information provided to their attorneys. And, rightly so, as most lawyers and other third-party professionals are not in the business of cyber security.  See Articles One and Two. Businesses should not be wary of holding their third-party vendors to the highest standard when it comes to cyber security, and it would not be the ...
Continue Reading...


Join Goldberg Segalla’s John J. Jablonski at DRI’s Data Breach and Privacy Law Seminar

The Defense Research Institute’s inaugural Data Breach and Privacy Law Seminar: Cyber Security Strategies in a Digital Age is almost here. As the threats of data security breaches and concerns over privacy escalate daily — along with the potential costs and reputational risks that accompany a breach or other incident — this is an event that no business, technology, or legal professional can afford to miss. This first-ever conference, which will run September 11–12 at the Conrad Chicago, will offer presentations from data security and privacy professionals who are at the forefront of cutting-edge data security and privacy issues, as well as industry leaders who will provide valuable insight and practical experience. John J. Jablonski, Co-Chair of Goldberg Segalla’s Cyber Risk and Social Media Practice Group and a nationally recognized ...
Continue Reading...

Can Companies Pre-Emptively Avoid Class Action Suits from Massive Data Breaches? (A Blog Series)

There’s a constant flow of news about massive data breaches nowadays.  So much so that the question for companies with large amounts of personal data storage is no longer “if” it can happen but “when” it will happen.  In this series, we’re going to discuss one method that larger companies are using to significantly reduce the risk exposure to massive data breaches: click-wrap terms of use that require users to waive participation in class actions and instead only pursue claims by way of arbitration or small claims court as individuals. The usual narrative leads to a class action lawsuit brought on behalf of all victims of the breach, who can easily number in the millions.  For the most part, these class action lawsuits have been summarily dismissed because plaintiffs have ...
Continue Reading...

Breach of U.S. Public Utility

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advised in its quarterly report that an unnamed public utility was compromised after attackers took advantage of a weak password security system by using brute force techniques by trying on various passwords until they hit the right one. This may come as no surprise to some as the vulnerability of the U.S. power grid to electronic attack has been known since the 1990’s. Factors contributing to this increasing danger include the shift from mainframe-based computer control systems to distributed systems using open protocols and standards, pressures within the industry to automate and cut costs, regulations that require that utilities provide open access to transmission system information, and increasing incidents of terrorism. It’s been reported that the government ...
Continue Reading...

NYDFS to Conduct Annual Cyber Assessments on NY Regulated Banks

Governor Andrew Cuomo of New York announced on May 6, 2014 that the New York State Department of Financial Services (NYDFS) would begin conducting “new, regular, targeted cyber security preparedness assessments of the banks [NYDFS] regulates.”  Governor Cuomo noted, Targeted cyber security assessments for banks will better safeguard financial institutions from attacks and secure personal bank records from being breached. When consumers sign up for online banking they expect their personal information to be secure and we are working to make sure financial institutions take the proper precautions to safeguard it. The Governor also announced some findings from a report that was the product of a year-long survey of 154 banks that NYDFS regulates.  Some of the findings include: The two biggest challenges to building an adequate cyber security program ...
Continue Reading...

Lawsuits Follow College’s Untimely Notifications – Can’t Blame the Dog…

Last year, the Maricopa County Community College District suffered a data breach in April, but waited until November before advising former students and employees that their academic and/or personal data may have been compromised.  Approximately 2.4 million people were impacted by this breach, or roughly the population of Pittsburgh, Pennsylvania.  Among the data that may have been breached were social security numbers, dates of birth, and bank account numbers. Recently, a current student of Phoenix College sued the College District in Maricopa County Court, making a number of allegations, including that the College District was warned by the FBI in January of 2011 that a number of its databases had been breached and made available for sale on the internet and that the College District’s IT department knew of the ...
Continue Reading...

Cy-“Burned” – The New Importance of Cyber Insurance

Data breaches that result in the unwanted dissemination of personal information are prevalent in the news of late, particularly given the rapid growth of electronically stored information and online commerce. A data breach can be very, very expensive even for the smallest of companies. This post was originally published on Professional Liability Matters. Please click here to read the rest of the article written by Seth L. Laver, Jessica L. Wuebker, and Matthew D. Cabral.
Continue Reading...

In a Rare Move, Banks Sue Target’s Data Security Auditor

One of the recurring themes of the Target data breach is “compliance does not guarantee security.”  As if in response to the open question of whether compliance auditors should be looked at more closely, banks have started a lawsuit against Target’s data security vendor Trustwave, along with Target itself Monday in Chicago federal court.  There are already over 90 lawsuits commenced by consumer or banks against Target, but this is the first to focus on Trustwave, which audits companies’ IT systems to ensure that they comply with credit card security regulations. In the lawsuit, the banks claim that Trustwave “has performed more Payment Card Industry Data Security Standard (PCI DSS) certifications than all other companies combined.”  The banks further claim that Trustwave advertised its “deep expertise” in PCI compliance and ...
Continue Reading...

More Credit Card Security On the Way

There has been a spike in the number of reported credit card breaches in recent days, including the most well-known of them all, Target, which led to the eventual resignation of its Chief Information Officer. Now, the California Department of Motor Vehicles has reportedly experienced a possible breach of its online payment system. It has become clear that the current security measures are insufficient to protect consumers and the corporate entities catering to the credit card consumer. In this regard, both Visa and MasterCard have announced an initiative to increase payment security. The increased security will include advanced chip technology which, in some regards, has already been implemented in other developed countries, including smart chips and point-of-sale data encryption. It is hoped that the increased security measures will not be ...
Continue Reading...

Don’t Let Love Lead to a Loss

“Better to have loved and lost than never to have loved at all.”  Alfred Lord Tennyson probably did not have computer operating systems in mind when he wrote this famous line. Come April 2014, however, those who aren’t willing to end their love affair with Windows XP may lose big. Windows XP was long the favorite operating system for companies.  However, it was also well-known for its vulnerabilities and that Microsoft actively serviced XP providing patches for these vulnerabilities.  On April 8, 2014, Microsoft will stop servicing XP and this will provide a rich target for hackers who wish to exploit unreported and unpatched vulnerabilities to gain access to XP computers and/or networks. Approximately 20 percent of all computers still utilize XP including 10 percent of all government computers (some ...
Continue Reading...