Internet of Things Cybersecurity Improvement Act

On January 1, 2020, California’s “Security of Connected Devices” law (Senate Bill No. 327), which was enacted in 2018, will require companies that manufacture any device that connects “directly or indirectly” to the Internet that is sold in California to incorporate within the device “a reasonable security feature or features.” What constitutes as a “reasonable security feature” is largely undefined, but if the device is capable of authentication outside of a local area network (LAN), then the security will be deemed reasonable if a preprogrammed…
Continue reading...

Considering Legal Privileges in the Cybersecurity Context

Any organization that is cognizant of its cybersecurity obligations faces a fundamental problem: the greater the effort to increase security, the greater the number of documents generated, memorializing those efforts. Those documents could be discoverable in the event of litigation. The law of privilege in the context of pre-breach planning, including application of the attorney-client relationship to third-party technology vendors and security engineers, remains largely uncharted. The thought leaders at The Sedona Conference are taking steps to help frame the dialogue and set the stage…
Continue reading...

Everybody’s Buying Cyber… Why Aren’t You?

A recent market survey shows companies are getting the message that purchasing cyberinsurance is a corporate imperative today. According to a recent AM Best Market Segment Report, direct premiums written for U.S. cyberinsurance policies from 2015 to 2018 have doubled to $2 billion. Three million cyberinsurance policies were in force in 2018, an increase from 2.6 million in 2017. Admittedly, premium growth has slowed to 12.6 percent in 2018, although that may be due in part to the number of companies using captives for their…
Continue reading...

Cryptocurrency Theft is on the Rise

According to a recent study, losses from theft, fraud, and misappropriation of cryptocurrency increased to $1.2 billion worldwide in the first quarter of 2019, which is already 70 percent of all such activity from 2018.  In fact, it was  reported that hackers used phishing, viruses, and other techniques to steal $41 million in cryptocurrency from Binance, one of the world’s largest cryptocurrency exchanges. This is on the heels of an announcement by Fidelity Investments that it will soon buy and sell bitcoin for institutional customers.…
Continue reading...

Ohio Cybersecurity Legislation Applicable to Insurers Now In Effect

Ohio’s new law requiring insurance providers to take steps to protect personal information recently went into effect March 20, 2019. Ohio now follows South Carolina as the second state to adopt legislation modeled after the NAIC’s Insurance Data Security Model Law.             The law, codified at new Ohio Revised Code Chapter 3695, applies to all individuals or non-governmental entities required to be authorized, registered, or licensed under Ohio insurance laws (defined as “licensees”). Only smaller licensees that have fewer than 20 employees, less than $5…
Continue reading...

Washington State Cyberstalking Law Deemed Unconstitutional

On February 22, a federal judge in the State of Washington held that Washington’s cyberstalking law impermissibly inhibits constitutionally protected speech in violation of the First Amendment. The case of Rynearson v. Ferguson was commenced by Richard Rynearson, III against Washington State’s Attorney General and county prosecuting attorney under 42 U.S.C. Section 1983 for the purpose of enjoining the state’s enforcement of its cyberstalking statute, Wash. Rev. Code Section 9.61.260. Rynearson is an online author and activist who regularly writes online posts and comments directed…
Continue reading...

Key Upcoming Deadlines under the New York DFS Cybersecurity Regulation

When New York’s landmark cybersecurity regulation became effective back in March 2017, the Department of Financial Services (DFS) implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019.  Entities covered by the wide-sweeping regulation should remember filing their first certificate of compliance in February of last year.  The two-year implementation period is almost over, and once again, important deadlines are now quickly approaching.  “Covered Entities” (banks, insurance companies, and other financial services institutions and…
Continue reading...

Department of Health and Human Services Releases Cybersecurity Guide for Healthcare Providers

Over a year of collaboration between the Department of Health and Human Services (HHS) and industry partners has culminated in the publication of a cybersecurity guide for medical providers of all sizes. HHS describes it as “a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector,” that looks to “raise the cybersecurity floor” across the country. Although the guide emphasizes its wide applicability, much of the discussion appears directed at small and mid-sized providers. For example, HHS highlights a recent…
Continue reading...

Congress Concludes Additional Federal Oversight Needed after Equifax Data Breach

“Equifax…failed to implement an adequate security program to protect this sensitive data…Such a breach was entirely preventable.” So concludes the December 2018 report on “The Equifax Data Breach” by the U.S. House of Representatives Committee on Oversight and Government Reform. The cause, according to the report, was Equifax’s “acquisition strategy [to benefit] bottom line and stock price,” which “growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.” Risks, it seems, Equifax did not manage. In 2017, the Department of Homeland Security…
Continue reading...

In Pennsylvania, Employers (and Others) may be Liable for Failing to Protect Personal Information that They Collect

On November 21, 2018 Pennsylvania’s highest court ruled that employers in Pennsylvania have an affirmative legal duty to protect workers’ sensitive data from possible hacking.  This ruling has profound implications for employers, which may now be subject to liability for failing to take reasonable precautions to protect their employees from cyber attacks. In a proposed class action, employees of the University of Pittsburgh Medical Center sought damages after a data breach exposed the personal information – including names, dates of birth, addresses, Social Security numbers,…
Continue reading...