Congress Concludes Additional Federal Oversight Needed after Equifax Data Breach

“Equifax…failed to implement an adequate security program to protect this sensitive data…Such a breach was entirely preventable.” So concludes the December 2018 report on “The Equifax Data Breach” by the U.S. House of Representatives Committee on Oversight and Government Reform. The cause, according to the report, was Equifax’s “acquisition strategy [to benefit] bottom line and stock price,” which “growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.” Risks, it seems, Equifax did not manage. In 2017, the Department of Homeland Security…
Continue reading...

Colorado Data Privacy Act a Landmark in Dealing with Protection of Personally Identifiable Information

Colorado’s Protections for Consumers Data Privacy Act, unanimously approved by the state legislature on May 29, 2018, imposes heightened data protection and breach notification requirements on businesses of all sizes and government entities. It affects all entities that receive, collect, create or save personally identifiable information (PII) from Colorado residents, customers, employees or even prospective employees. The law comes in the wake of the Equifax data breach in 2017, and Colorado being rated the second riskiest state for identity theft in a 2017 study,…
Continue reading...

Congress Continues to Grapple with Election Interference

The Secure Elections Act may be back on the table once again. The bipartisan bill was introduced “to protect the administration of Federal elections against cybersecurity Threats.” In large part, the bill was intended to combat concerns that Russia and other state and private actors could exploit vulnerabilities in backend election systems, including voter registration databases, ballot creation systems, voting machine configuration systems, absentee processing and reporting and tabulation software. The bill’s sponsors hope to pass a version of the bill in time to…
Continue reading...

GAO Report on Cybersecurity Provides Useful Strategies for Federal Agencies and Private Industry

The Government Accountability Office (GAO) recently published another report in its High-Risk Series detailing the major cybersecurity challenges facing the federal government and outlines key strategic elements to address those challenges. While the report focuses on issues pertaining to federal agencies, several of the observations, and recommendations are also applicable to private businesses. To start, the report details five key elements that are needed to make progress in addressing cyber threats: 1) Leadership Commitment; 2) Capacity; 3) Action Plan; 4) Monitoring; and 5) Demonstrated Progress.…
Continue reading...

Lessons in Cyber-Hygiene: How John Podesta was Caught by Phishing

Instead of a Hollywood-style cyberattack into an underground bank of highly secure servers, it appears Hillary Clinton’s campaign chairman John Podesta fell victim to a run-of-the-mill phishing email appearing to come from Google. On March 19, 2016, Podesta received an alarming email to his Gmail account indicating someone had accessed his account, inviting Podesta to click on a Bitly URL (a service providing shortlinks, or smaller URL addresses) pointing to a longer URL that looked like a Google link. According to Bitly’s statistics, the URL…
Continue reading...

Lessons in Cyber-Hygiene: Securing Employee Passwords

The human element remains a significant threat vector for institutions of all sizes, and management is well advised to take proactive steps to educate and implement effective “cyber-hygiene” policies for all employees to minimize the risks associated the range of social engineering tactics, from phishing to inadvertent disclosures, as well as curb the opportunities for plain old mistakes. The area of password protection is among the most obvious areas for improvement in the world of cyber-hygiene. In a recent survey of 750 IT administrators and…
Continue reading...

Judge Rules No Standing to Pursue Fear Of “Hacker Harm”

Last week a judge in the Southern District of Illinois trimmed several claims from a class action complaint made against Chrysler and Harman International Industries stemming from a 2015 WIRED magazine article. The July 21, 2015 WIRED article described the author’s experience of being a “digital crash-test dummy, a willing subject on whom [two hackers] could test the car-hacking research they’d been doing over the past year.” Less than two weeks after the article was published, on August 4, 2015, the plaintiffs filed their class…
Continue reading...

Cybersecurity Down on the Farm

The FBI and Department of Agriculture have issued a Private Industry Notification to increase awareness among farmers that growing reliance on precision agriculture technology, aka “smart farming,” brings increased vulnerability to cyberattacks. While the notification did not suggest attackers could gain control of physical machinery, unauthorized access to farm-level data regarding crop availability and pricing could be used to exploit US agriculture resources and market trends. Earlier this year, for example, the USDA and Microsoft hosted a worldwide competition to design data visualization tools that…
Continue reading...

Better Late Than Never: U.S. and EU Regulators Reach Data Privacy Agreement

Officials from the United States and European Union have reached a tentative agreement regarding transfers of personal data by European individuals and businesses to the United States. As stated in the agreement, “This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” When finalized, it will replace a previous safe harbor agreement between the U.S. and EU, which was struck down by the European Court of Justice (ECJ) in October…
Continue reading...

HIPAA’s Application to Digital Media

Recent media attention to the disclosure of Personal Health Information (PHI) concerning Lamar Odom provides a reminder that the Health Insurance Portability and Accountability Act (HIPAA) applies broadly to digital photographs and other electronic data, whether or not the disclosure is inadvertent. Goldberg Segalla attorneys Seth L. Laver, Jessica L. Wuebker and Kenneth M. Alweis have developed three useful steps to improve privacy and security programs and policies to account for these potential HIPAA violations, which can be read here on the firm’s Professional Liability
Continue reading...