House Overwhelmingly Passes Two Cyber Threat-Sharing Bills, Senate Poised for Third

On Wednesday, April 22, by a vote of 307-116, the House passed its first major cybersecurity bill of 2015, the Protecting Cyber Networks Act (PCNA), backed by the leadership of the Committee on Intelligence, which would shield private companies when sharing cyber threat data with government civilian agencies, including the Commerce and Treasury Departments. A second bill, The National Cybersecurity Protection Advancement Act of 2015 (NCPAA), which amends the Homeland Security Act of 2002, was passed by the House the following day, Thursday April 23,…
Continue reading...

Symantec Issues Threat Report – Cyber Threats on the Increase

Symantec issued its 2014 Internet Threat Security Report (“ITSR” or the “Report”). The Report highlighted some interesting trends including:
  • “60 percent of all targeted attacks struck small- and medium-sized organizations.” In part, this is due to the fact that these “organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This puts not only the businesses, but also their business partners, at higher risk.”
  • “Non-targeted attacks still make up

Continue reading...

NY Dept. of Financial Services Requests Detailed Cyber Security Reports From Insurers

Cyber security is clearly one of the highest priorities — if not the top concern — for regulators in 2015. Late last month, the New York Department of Financial Services (DFS) sent more than 160 licensed insurers a New York Insurance Law Section 308 Letter seeking a detailed report regarding their cyber security practices and procedures. The Section 308 Letter — to which there is now less than three weeks to respond — also provides greater insight into the scope of cyber security examinations that…
Continue reading...

Target to Change Security Policies and Pay $10 Million to Settle Data Breach Lawsuit

U.S. District Court Judge Paul Magnuson has indicated that he will grant preliminary approval of a 97-page settlement agreement between Target and class-action plaintiffs.  Under the settlement, Target will pay $10 million to compensate injured customers, with court documents suggesting as much as $10,000 for a victim. In total, 42 million shoppers had their credit or debit information stolen, and 61 million had personal data stolen from November 27 through December 18, 2013. The settlement also requires Target to change its security policies within 10…
Continue reading...

Hackers Charged with Stealing 1 Billion E-mail Addresses

The U.S. Department of Justice has unsealed indictments against three hackers for having broken into eight email service providers (ESPs), stealing 1 billion email addresses and names, and receiving $2,000,000 for the sale of products to those email addresses through a “spam” sales scheme. According to the indictments filed with the U.S. District Court for the Northern District of Georgia, Canadian David-Manuel Santos Da Silva and Viet Quoc Nguyen and Giang Hoang Vu from Vietnam used an email phishing scheme beginning in 2009 to gain…
Continue reading...

SEC, FINRA and the U.S. Senate Prepare for Cyberattacks in 2015

Two major government agencies have issued reports addressing security of brokerage and advisory firms, and two U.S. Senators have declared their intention to expand cyber-security laws into automobiles.  In February, the SEC released two major publications (here and here) regarding risks for brokerage and advisory firms, as well as adjusters.  The Financial Industry Regulation Authority (FINRA), a private corporation managed by financial industry insiders and billed as the self-appointed “regulator” for NYSE and NASDAQ, has issued a report to assist broker-dealer firms with…
Continue reading...

Third Circuit Reviews FTC’s Authority To Enforce An “Unreasonable Failure” To Protect Against A Cyber Attack

Today, the Third Circuit heard oral argument in a case that may have a profound impact on the Federal Trade Commission’s enforcement authority over corporate cybersecurity.  The question presented to the Court of Appeals is whether the FTC can pursue an enforcement action against a company under Section 5 of the FTC Act if the FTC believes that a cyber-hack occurred due to the company’s “unreasonable failure” to protect consumer data. The FTC alleges that Wyndham Worldwide did not “employ reasonable and appropriate measures to…
Continue reading...

Cyber Breaches Prompt Government Action

Several government entities are taking action to address the growing rise of cyber-attacks as more fully explained in Goldberg Segalla’s Insurance & Reinsurance Report. As reported in a post by Frederick J. Pomerantz and Aaron J. Aisen, in response to a cyber breach at a major insurer, Connecticut lawmakers are considering legislation requiring insurance companies to encrypt sensitive information.  Furthermore, the Federal Government is considering several proposals  including a Consumer Privacy Bill of Rights and standardized consumer notification procedures.  Similarly, as discussed in…
Continue reading...

Cyber-Attack Class Actions Are On The Rise

After a barrage of media coverage over the release of The Interview, Sony Pictures now finds itself in federal court defending against seven class action lawsuits filed less than a month after the North Korean government hacked its computer system.  Sony became aware of this “unprecedented” attack, in which it reportedly lost over 100 terabytes of data, on the morning of November 24th.  The first class action complaint, Corona v. Sony Pictures Entm’t, Inc., was filed on December 15, 2014 —…
Continue reading...

Cyber Attack Immobilizes Dutch Government Websites

As reported by the BBC, most of the Dutch government’s websites were rendered inoperable after a successful distributed denial of service (DDoS) cyber-attack on Tuesday, when servers were flooded with traffic, rendering the sites virtually inoperable.  A number of private sites were also breached, and the attack also affected communications provider Telford.  As the BBC noted, these attacks “highlighted the vulnerability of public infrastructure.” An official from the Dutch Government Information Service, Rimbert Kloosterman, remarked that the complexity and size of the government’s websites had…
Continue reading...