Goldberg Segalla, Author at Data Privacy and Security™

January 10, 2017 Cybersecurity / Regulation

NYDFS Issues Updated Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) recently issued an updated version of its proposed cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). The updated proposed regulation reflects several of the comments offered during the initial public notice and comment period that concluded on November 14, 2016. Some of the most noteworthy changes in the revision are as follows:

Section 500.04 — NYDFS clarified that while a Covered Entity must designate a qualified individual to perform the responsibilities

Despite Recent High-Profile Dismissals, Wendy’s Shareholders Try Again with Cybersecurity-Related Derivative Lawsuit

The resilient plaintiff’s bar is not backing down from their quest to hold directors and officers personally liable for corporate misconduct that leads to cybersecurity breaches. Taking guidance from the failures which resulted in a string of dismissals of high-profile cybersecurity-related shareholder derivative lawsuits, a shareholder of the fast food-chain The Wendy’s Company is taking another shot to impose liability on corporate leadership for failing to take precautions against cyber-attacks. To be clear, these derivative cases are trying to hold the directors and officers liable… Continue Reading

October 20, 2016 Cyber Attacks / Cyber Risk

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL… Continue Reading

October 11, 2016 Cyber Risk

Lessons in Cyber-Hygiene: Securing Employee Passwords

The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene. In a recent survey of 750 IT administrators and… Continue Reading

October 5, 2016 Cyber Breach / Cybercrime / Cybersecurity / Emerging Issues

The Yahoo Class Action: Plaintiff’s Bar Finds a New Cottage Industry

The only “surprise” in the Yahoo class action complaint, filed Friday, September 23, 2016, is that Yahoo issued a press release announcing the breach a mere one day earlier. The class action complaint, undersigned by three law firms in San Francisco, Boca Raton, and New York, seeks certification for: “All persons within the United States whose personal information was accessed following the data breach that Yahoo announced in a press release on September 22, 2016.” Indeed, the complaint makes a number of allegations relating directly… Continue Reading

September 29, 2016 Class Action / Cyber Risk / Cybercrime / Cybersecurity

Judge Rules No Standing to Pursue Fear Of “Hacker Harm”

Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class… Continue Reading

September 28, 2016 Cybersecurity

RAND Study Estimates Lower Cyber-Incident Costs

According to a new study by the RAND Corporation, published in the Oxford Journal of Cybersecurity, the average cost of a typical cyber breach for an American company has been estimated at $200,000, significantly less than the $1,000,000 figure suggested by other organizations, such as the Ponemon Institute. The study analyzed a private data set of 12,000 cyber incidents over a decade based on corporate losses compiled for the insurance industry. “Relative to all the other risks companies face, the cyber risks often aren’t… Continue Reading

September 22, 2016 Lawsuit

Plaintiffs’ Monitoring Activity to Mitigate Increased Risk of Identity Theft Sufficient for Article III Standing in the Sixth Circuit

The Sixth Circuit, in a 2-1 majority decision, has reinstated a class action lawsuit against Nationwide Mutual Insurance Company, finding that the plaintiffs’ alleged “imminent, immediate and continuing increased risk” of identify fraud after hackers accessed personal data on Nationwide’s servers constituted a “cognizable injury” under Article III. The court’s unpublished decision cited a range of alleged damages from the plaintiffs’ complaint including the time and expense of monitoring their own credit, as well as a study “purporting to show that in 2011 recipients of… Continue Reading

June 10, 2016 Cyber Breach / Lawsuit

Something to Keep an Eye On: Insurers and Insureds to Duke it Out in Data Breach Coverage Suit

A new Indiana coverage litigation regarding a CGL policy (and umbrella policy) may provide more guidance about how courts will approach data breach coverage under traditional insurance products. In National Fire Insurance Company of Hartford v. Medical Informatics Engineering, Inc. et al. (N.D. Ind., No. 16-cv-152), two CNA companies initiated a declaratory judgment action seeking a ruling they do not have the duty to defend or indemnify Medical Informatics Engineering, Inc. or NoMoreClipboard, LLC (collectively Medical Informatics) in relation to lawsuits filed against Medical Informatics. … Continue Reading

May 4, 2016 Cyber Attacks

Forty Percent Increase in New York State Data Breaches

On Wednesday, May 4, 2016, New York State Attorney General Eric T. Schneiderman announced a 40 percent increase in reports of data breaches during 2016 as compared with the same time frame last year. As in a growing number of states and federal agencies, New York’s Information Security Breach & Notification Act, enacted in 2005, requires all individuals and organizations conducting business in New York to report any unauthorized access to personal information to affected individuals, law enforcement and other government officials. According to the… Continue Reading