“Anatomy of a Data Breach”

Blog contributor James M. Paulino II recently co-authored an article in DRI’s For the Defense. The article, “Anatomy of a Data Breach,” takes a look at fundamental concepts on both the technical and legal sides of the issue of cybersecurity to help companies and their counsel face the growing threat of data breaches head-on. “As the stage is set for the first major debate over federal legislation, two basic issues emerge for attorneys and clients alike. First and foremost, what exactly is a data breach? Second, what is the current legal framework through which we litigate in the aftermath of a cyberattack?” The comprehensive article also explores various classifications of data breaches and the types of evidence left behind, steps to be prepared to respond quickly in the event of a breach, the current patchwork ...
Continue Reading...


DOJ Issues Best Practices for Cyber Incident Response

The US Department of Justice, Criminal Division, Cybersecurity Unit has issued a 15-page best practices document “to assist organizations in preparing a cyber incident response plan and…in preparing to respond to a cyber incident.”  The document explains in detail steps necessary before, during and after a cyber attack or intrusion, summarized in a “Cyber Incident Preparedness Checklist” (see below).  “Any Internet-connected organization” is advised to review and adopt these best practices in order to provide a prompt, effective response to incidents, minimize resulting harm, expedite recovery, and, most importantly, take steps to prevent an intrusion from occurring in the first instance.  A complete copy of the Best Practices guidelines can be found here. Department of Justice Cyber Incident Preparedness Checklist Before a Cyber Attack or Intrusion Identify mission critical data and ...
Continue Reading...

Senator Seeks Answers from President on White House Cyber Attack

Chairman of the Senate Committee on Commerce, Science and Transportation, John Thune, has sent an open letter to President Obama to address the cyber attack on the White House’s unclassified computer system in late-2014. The breach, allegedly by Russian hackers, was according to Senator Thune “more extensive than previously known,” and accessed “a great deal of sensitive information, such as schedules, policy discussions, and e-mails sent and received by” Mr. Obama, “including exchanges with ambassadors.” Following increased attacks across Executive Branch departments and agencies, Mr. Thune and the Committee had “serious questions as to whether they are adequately prepared to address vulnerabilities and protect sensitive information.” The senator explained, “concerned remain that the White House’s network infrastructure remains vulnerable.” Mr. Thune then called on Mr. Obama, who previously “proposed legislation ...
Continue Reading...

Recent Class Action Settlements By Target & Adobe

Adobe’s impending settlement in a class action comes just a month after Target settled claims for $10 million.  Although confirmatory discovery is ongoing according to Law360, Adobe and the named class members are expected to present their settlement proposal to District Judge Lucy Koh by the end of May.  Last year, both Adobe and Target lost motions to dismiss that challenged the plaintiffs’ Article III standing based on the U.S. Supreme Court’s 2012 decision in Clapper v. Amnesty International USA.  This may have been the catalyst for these recent settlements. Judge Koh, from the Northern District of California, relied on a 2010 decision by the Ninth Circuit in data breach case, Krottner v. Starbucks Corp., in denying Adobe’s motion. Adobe argued that Krottner is at odds with Clapper, which stands for the ...
Continue Reading...

House Overwhelmingly Passes Two Cyber Threat-Sharing Bills, Senate Poised for Third

On Wednesday, April 22, by a vote of 307-116, the House passed its first major cybersecurity bill of 2015, the Protecting Cyber Networks Act (PCNA), backed by the leadership of the Committee on Intelligence, which would shield private companies when sharing cyber threat data with government civilian agencies, including the Commerce and Treasury Departments. A second bill, The National Cybersecurity Protection Advancement Act of 2015 (NCPAA), which amends the Homeland Security Act of 2002, was passed by the House the following day, Thursday April 23, by a vote of 355-63. The second bill, supported by the House Committee on Homeland Security, gives private companies additional protections against liability when sharing data with the Department of Homeland Security. The PCNA affords its protections by requiring dismissal of any action against a ...
Continue Reading...

Symantec Issues Threat Report – Cyber Threats on the Increase

Symantec issued its 2014 Internet Threat Security Report (“ITSR” or the “Report”). The Report highlighted some interesting trends including: “60 percent of all targeted attacks struck small- and medium-sized organizations.” In part, this is due to the fact that these “organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This puts not only the businesses, but also their business partners, at higher risk.” “Non-targeted attacks still make up the majority of malware, which increased by 26 percent in 2014. In fact, there were more than 317 million new pieces of malware created last year, meaning nearly one million new threats were released into the wild each day. Some of this malware may not ...
Continue Reading...

NY Dept. of Financial Services Requests Detailed Cyber Security Reports From Insurers

Cyber security is clearly one of the highest priorities — if not the top concern — for regulators in 2015. Late last month, the New York Department of Financial Services (DFS) sent more than 160 licensed insurers a New York Insurance Law Section 308 Letter seeking a detailed report regarding their cyber security practices and procedures. The Section 308 Letter — to which there is now less than three weeks to respond — also provides greater insight into the scope of cyber security examinations that DFS plans to schedule after receiving insurer responses to the Section 308 Letter. This latest DFS action comes in the wake of the February 2015 DFS Report on Cyber Security in the Insurance Sector, which announced a number of measures that DFS plans to implement ...
Continue Reading...

Target to Change Security Policies and Pay $10 Million to Settle Data Breach Lawsuit

U.S. District Court Judge Paul Magnuson has indicated that he will grant preliminary approval of a 97-page settlement agreement between Target and class-action plaintiffs.  Under the settlement, Target will pay $10 million to compensate injured customers, with court documents suggesting as much as $10,000 for a victim. In total, 42 million shoppers had their credit or debit information stolen, and 61 million had personal data stolen from November 27 through December 18, 2013. The settlement also requires Target to change its security policies within 10 business days of the settlement, including appointing a Chief Information Security Officer, maintaining a written information security program to document risks and develop metrics, and providing security training to “relevant” workers. Victims with reasonable documentation of one of the following losses may be eligible to ...
Continue Reading...

Hackers Charged with Stealing 1 Billion E-mail Addresses

The U.S. Department of Justice has unsealed indictments against three hackers for having broken into eight email service providers (ESPs), stealing 1 billion email addresses and names, and receiving $2,000,000 for the sale of products to those email addresses through a “spam” sales scheme. According to the indictments filed with the U.S. District Court for the Northern District of Georgia, Canadian David-Manuel Santos Da Silva and Viet Quoc Nguyen and Giang Hoang Vu from Vietnam used an email phishing scheme beginning in 2009 to gain access to log-in information from ESP employees, which was then used to access the ESPs databases containing email addresses and names.  The hackers then sent spam messages through the ESPs own email servers selling otherwise free software for a profit through Da Silva’s Canadian corporation, ...
Continue Reading...

SEC, FINRA and the U.S. Senate Prepare for Cyberattacks in 2015

Two major government agencies have issued reports addressing security of brokerage and advisory firms, and two U.S. Senators have declared their intention to expand cyber-security laws into automobiles.  In February, the SEC released two major publications (here and here) regarding risks for brokerage and advisory firms, as well as adjusters.  The Financial Industry Regulation Authority (FINRA), a private corporation managed by financial industry insiders and billed as the self-appointed “regulator” for NYSE and NASDAQ, has issued a report to assist broker-dealer firms with protecting against a cyber attack.  And, U.S. Senators Markey and Blumenthal declared their intention to introduce legislation to require manufacturers of “smart cars,” which, like smart phones, are connected to the internet, to comply with additional government regulations to protect consumers, following Senator Markey’s report titled “Tracking & Hacking: Security & Privacy Gaps Put ...
Continue Reading...