Major Cyber Attack on Britain’s National Health Service

London_iStock_000054776234_Medium

A widespread cyber attack has breached healthcare services across England and Scotland, possibly impacting up to 33 NHS organizations and additional general practitioners. The Prime Minister has confirmed the attack, and that the National Cyber Security Centre is already working with NHS digital to safeguard patient data. More information can be found here.  
Continue Reading...


Don’t Be Held Hostage by Ransomware

GettyImages-618534958 (1) Chair of Goldberg Segalla’s Cyber Risk Practice Group, John J. Jablonski, Esq., offers insights on avoiding a ransomeware attack in a recent blog post for the Pennsylvania Institute of Certified Public Accountants, accessible here. John will also be sharing his insights on cybersecurity at the PICPA Data Privacy and Security for Professional Service Organizations program in Philadelphia on May 24.
Continue Reading...

Re-Thinking the U.S. Government’s Approach to Cybersecurity

Central Intelligence Agency Are the “cybersecurity” tools used by the CIA and NSA causing harm to U.S. businesses and citizens? An analysis of the WikiLeaks materials, and recent hacker activity, suggests the answer may be yes. This month, it was revealed that at least 40 cyber attacks on organizations in 16 countries were conducted with top-secret hacking tools, according to security researcher Symantic Corporation. While not formally blaming the CIA, Symmantic said it connected these attacks to the CIA hacking tools obtained by WikiLeaks, and that the targets were government entities or had some national security value. The CIA efforts, however, do not appear to be limited to foreign targets. Cisco Systems, whose Internet switches direct electronic traffic, has also reported that the CIA exploited flaws allowing eavesdropping across 300 different Cisco products. ...
Continue Reading...

April Brings Showers … and Changes to State Data Breach Notification Laws

Vector of highly detailed map of New Mexico state of the United States of America grunge style - easy edit to take off grunge effect or to edit colors Over the past few weeks there have been noteworthy changes to data breach notification acts within several states. Of importance, New Mexico enacted its first notification law while Tennessee and Virginia amended existing legislation. New Mexico On April 6, 2017 New Mexico enacted HB 15, the Data Breach Notification Act, making it the 48th state to pass a notification law. The Act goes into effect on June 16, 2017, leaving Alabama and South Dakota as the only states without notification requirements. The Act, drawing on other state’s recent amendments, included biometric data (fingerprints, facial characteristics, retina patterns, etc.) in its definition of personal identifying information. The Act’s three components include: (1) Disposal of personal identifying information; (2) Security Measures for Storage of personal identifying information; and (3) Notification of a ...
Continue Reading...

IRS Student Loan Application Program Breach Affecting up to 100,000 Taxpayers

463151329 On April 6, 2017, IRS Commissioner John Koskinen testified during a Senate Finance Committee meeting that the personal data of up to 100,000 taxpayers may have been compromised by hackers accessing both students’ and parents’ tax information through the Data Retrieval Tool (DRT), a free application for federal student aid data retrieval connected with the Free Application for Federal Student Aid (FAFSA). Obtaining such information allowed these hackers to file fraudulent tax returns and steal refunds. The last breach of this magnitude occurred in 2015, when outside hackers gained access to over 300,000 tax returns, stealing data and initiating fraudulent returns. In the fall of 2016, the IRS recognized the possibility of a similar threat after noticing that hackers could take advantage of the DRT program which contained both students’ ...
Continue Reading...

Congress Rolls Back FCC Privacy Regulations

US Capitol On March 28, 2017, Congress passed legislation (S.J. Res. 34) that rolled back privacy regulations recently adopted by the Federal Communications Commission. The resolution passed the Senate by a vote of 50-48 and the House by a voted of 215 to 205. This is one of several sets of regulations Congress is rolling back under the authority of the Congressional Review Act of 1996. Under this statute, Congress can nullify administrative regulations by simply passing a joint resolution of disapproval. On December 2, 2016, the FCC adopted a set of regulations entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016)). As noted in the Federal Register noted, these rules focused “on transparency, choice, and data security, and provides heightened protection ...
Continue Reading...

New York Issues Final Cybersecurity Regulation

On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here. Most of the changes that are contained in the final regulation consist of formatting and technical changes. Some new provisions clarify already existing provisions, e.g., Section 500.17(b) clarifies that the annual report to the Superintendent should be a report on the prior year. Other minor changes include record retention requirements ...
Continue Reading...

NYDFS Issues Updated Cybersecurity Regulation

Data Protection The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows: Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities of a Chief Information Security Officer (CISO) outlined in the regulation, that individual is not required to have this specific title. This individual is also not required to be dedicated exclusively to performing the duties of the CISO. Section 500.13 — The previous version required each Covered Entity ...
Continue Reading...

Despite Recent High-Profile Dismissals, Wendy’s Shareholders Try Again with Cybersecurity-Related Derivative Lawsuit

iStock_000038012250_Large The resilient plaintiff’s bar is not backing down from their quest to hold directors and officers personally liable for corporate misconduct that leads to cybersecurity breaches. Taking guidance from the failures which resulted in a string of dismissals of high-profile cybersecurity-related shareholder derivative lawsuits, a shareholder of the fast food-chain The Wendy’s Company is taking another shot to impose liability on corporate leadership for failing to take precautions against cyber-attacks. To be clear, these derivative cases are trying to hold the directors and officers liable for mismanagement of the company which led to the data breach, not for the liability arising directly from the data breach itself. These types of derivative lawsuits, however, have been largely unsuccessful. On December 16, 2016, a shareholder of the fast-food chain Wendy’s filed a ...
Continue Reading...

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

computer crime Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL sent to Podesta was clicked two times in March. From March to May, it appears the same hackers created 213 short links targeting 108 email addresses on the hillaryclinton.com domain. Reports indicate a similar phishing attack managed to hoodwink former US Secretary of State Colin ...
Continue Reading...