Congress Concludes Additional Federal Oversight Needed after Equifax Data Breach

“Equifax…failed to implement an adequate security program to protect this sensitive data…Such a breach was entirely preventable.” So concludes the December 2018 report on “The Equifax Data Breach” by the U.S. House of Representatives Committee on Oversight and Government Reform. The cause, according to the report, was Equifax’s “acquisition strategy [to benefit] bottom line and stock price,” which “growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.” Risks, it seems, Equifax did not manage. In 2017, the Department of Homeland Security…
Continue reading...

In Pennsylvania, Employers (and Others) may be Liable for Failing to Protect Personal Information that They Collect

On November 21, 2018 Pennsylvania’s highest court ruled that employers in Pennsylvania have an affirmative legal duty to protect workers’ sensitive data from possible hacking.  This ruling has profound implications for employers, which may now be subject to liability for failing to take reasonable precautions to protect their employees from cyber attacks. In a proposed class action, employees of the University of Pittsburgh Medical Center sought damages after a data breach exposed the personal information – including names, dates of birth, addresses, Social Security numbers,…
Continue reading...

Pennsylvania Federal Court Dismisses Law Firm’s Case Against Bank in Social Engineering Cyber Attack

The unfortunately reality of cyber theft is that it’s much like any other type of theft – even if the criminal is caught, it’s unlikely that the ill-gotten gains will ever be fully recovered. There are simply too many ways to hide their destination or make them disappear. This often means the victim will seek other avenues for recouping losses, including filing a civil action against entities or individuals who allegedly could have helped prevent the theft. In the case of O’Neill, Bragg & Staffin,
Continue reading...

An International Vow to Address Cybersecurity

On Monday, November 12, 2018 , during the Internet Governance Forum at UNESCO’s headquarters in Paris, the French President Emmanuel Macron announced an international agreement referred to as the “Paris Call for Trust and Security in Cyberspace.” The agreement was signed by over 50 countries as well as businesses, including Facebook, Google, and Microsoft, and other organizations. Australia, the United States, Israel, Russia, and China are notably absent. The agreement first highlights the central role cyberspace plays in every aspect of present life and reaffirms…
Continue reading...

Colorado Data Privacy Act a Landmark in Dealing with Protection of Personally Identifiable Information

Colorado’s Protections for Consumers Data Privacy Act, unanimously approved by the state legislature on May 29, 2018, imposes heightened data protection and breach notification requirements on businesses of all sizes and government entities. It affects all entities that receive, collect, create or save personally identifiable information (PII) from Colorado residents, customers, employees or even prospective employees. The law comes in the wake of the Equifax data breach in 2017, and Colorado being rated the second riskiest state for identity theft in a 2017 study,…
Continue reading...

In Line with GDPR, Canada Amends its Privacy Protection Regulation to Include Stringent and Mandatory Breach Notification Rules

On November 1, 2018, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) was amended to include stringent, mandatory breach notification rules. These rules are similar to the European Union’s General Data Protection Regulation (GDPR), which took effect in May, 2018. Organizations that conduct business in Canada will be subject to PIPEDA as well as the GDPR, if that organization is accessible in the European market. The new PIPEDA regulations reinforce the image of Canada as an international leader in personal data protection…
Continue reading...

Advisen Cyber Risk Insights Conference

I, along with three of my partners in Goldberg Segalla’s Cybersecurity and Data Privacy Practice Group, recently attended the Advisen Cyber Risk Insights Conference in New York City and came away with some terrific nuggets.  They include the importance of “silent cyber” to reinsurers and regulators, the fragmentation of the cyberinsurance market and the difficulty in driving change even for industry leaders, and continuing perceptions about coverage for cyber-related losses under stand-alone cyberinsurance policies and traditional insurance policies. One of the best resources I picked…
Continue reading...

3D Printing: A Cybersecurity Concern

Additive manufacturing, more commonly known as 3D printing, is a process of making three-dimensional solid objects from a digital model. Additive manufacturing is already used in a number of critical fields, such as medicine, aerospace, civil engineering, and industrial manufacturing. 3D printers are often internet-connected, and increasingly open-sourced. As a result, they face a host of security issues which range from digital to physical. Most of these issues fall broadly into either confidentiality and privacy concerns or device and product integrity concerns. Confidentiality and privacy…
Continue reading...

Facebook Moves to Dismiss Derivative Action Arising Out of Cambridge Analytica Scandal

On September 28, 2018, Facebook and its board of directors moved to dismiss a derivative action filed by Karen Sbriglio, a Facebook investor, alleging breach of a fiduciary duty.  The lawsuit, filed after revelations of the Cambridge Analytica scandal, claims the failure of Facebook’s leadership and governance in permitting the misappropriation of Facebook users’ data subjected it to public scrutiny, billions of dollars of lost market value, and significant fines and costs.  The basis of Facebook’s motion was that the company’s board, rather than…
Continue reading...

Long-struggling ‘Google Plus’ Social Network to be Shutdown after Security Breach Affects 500,000

On Monday, October 8, 2018 Google disclosed a security breach it discovered months ago that put at risk the personal data of hundreds of thousands of Google Plus users. In March, Google discovered, and fixed, the bug that allowed outside software developers to gain access to personal information on Google Plus users, including names, email addresses, ages, occupations and relationship status. The company’s decision to not immediately report the software bug has some concerned that Google cannot be relied on to protect privacy. Google…
Continue reading...