Newsflash: Internet-Connected Devices Are Not Private

Last week, Amazon confirmed that it’s Alexa-powered Echo device may, in fact, listen in on private conversations, whether or not the device had been intentionally activated by a user. In this “extremely rare occurrence,” a couple’s private conversation was not only recorded, but was sent to a random number in the user’s address book without their permission. Earlier this year, users also reported “unexpected and unwarranted bursts of robotic laughter,” which many found to be extremely “creepy,” and which Amazon characterized as the…
Continue reading...

The SEC is Focused on Public Company Disclosure of Cybersecurity Risks

While new data privacy rules in the European Union have dominated the news lately, the U.S Securities and Exchange Commission (SEC) has not so quietly been making waves of its own in the regulation of cybersecurity. In February ,the SEC issued fresh guidance to public companies on the disclosure of cybersecurity issues, both in identifying risks prospectively and in disclosing breaches quickly. It then followed up that guidance in April with its first ever fine of a public company for failing to promptly disclose a…
Continue reading...

Data Breach Settlement Highlights Need for Proactive Management of Data Security Threats

Lincare Inc. recently agreed to settle a class action lawsuit for $875,000. The class plaintiffs consisted of employees whose personal information was compromised in 2017. The breach involved a business email compromise scam. The settlement amount is not the only cost to the company and in fact may cost less than implementing remedial measures (credit/identity monitoring) and IT reforms to prevent such an incident from happening in the future. For example, the settlement terms dictate that an additional two years of free credit and identity…
Continue reading...

GDPR: The Countdown to Compliance

Many companies, large and small, are scrambling with last-minute preparations for compliance with the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. This is because If they don’t comply, they face fines of up to 4 percent of a company’s worldwide revenue for serious infractions or $20 million euros – whichever is higher. A recent IAPP survey of U.S. and European companies carried out by the Pokémon Institute has revealed that only 52 percent of companies expect to achieve
Continue reading...

Chili’s Carefully Announces Limited Data Breach

On May 11, 2018, Chili’s Grill & Bar learned that “some of [their] guest’s payment card information was compromised at certain Chili’s restaurants” as the result of a “data incident,” according to a press release on the company’s website. Preliminary investigations suggest malware was used to gather payment card information for purchases between March and April 2018. While such data incidents are increasingly common, Chili’s press release is notable for two reasons. Firstly, The release, presented as a letter to “valued guests,” provided…
Continue reading...

No More Chits to Call In: Computer Crime Policy Does Not Cover Fraudulent Transaction

In Interactive Communications International, Inc. v. Great American Insurance Company, a lawsuit closely monitored by those in the cyberinsurance space, the Eleventh Circuit affirmed a Georgia federal court’s decision, finding an insurance policy’s “Computer Fraud” coverage did not extend to certain losses caused by fraudsters. The decision comports with other recent decisions finding that social engineering fraud schemes do not satisfy the policy’s requirement of losses resulting directly from the use of a computer. Here, the devil was in the details. InComm operated a…
Continue reading...

FTC Settles False Representation Claim Against Mobile Phone Manufacturer

The Federal Trade Commission (FTC) has settled with BLU Products, Inc. over allegations that the unlocked mobile phone manufacturer allowed a third-party provider to collect detailed personal information about its consumers without their knowledge or consent. In 2016, BLU Products admitted that a third-party app called “Wireless Update” has been “collecting unauthorized personal data in the form of text messages, call logs and contacts from customers” on some devices. The FTC alleged that BLU Products, its co-owner, and president falsely claimed that only information needed…
Continue reading...

The SEC Imposed its First Data-Breach Related Disclosure Penalty

On the heels of the Securities and Exchange Commission (SEC) February 20, 2018 guidance on cybersecurity-related disclosures, the SEC imposed its first data breach related enforcement penalty. It should come as no surprise that the SEC’s first penalty was levied against Yahoo arising from its massive 2014 data breach. The $35 million penalty was, as the SEC stated in its April 24 press release, intended “to settle charges that [Yahoo] misled investors by failing to disclose one of the world’s largest data breaches…
Continue reading...

Nearly a 50 percent Increase in Gulf Region Cyberattacks

Gulf Business Machines (GBM) reports a significant increase – from 28 percent in 2016 to 41 percent in 2017 — in hacking events among Gulf-based enterprises. Even so, only 31 percent of regional organizations are concerned about the detection and response to these attacks. At the 2018 Gulf Information Security Expo and Conference in Dubai that took place from May 1-3, 2018, GBM issued its Seventh Annual Cybersecurity Study, which surveyed regional organizations regarding security in the business environment. The survey polled over 600 executives…
Continue reading...

Targeting Public Services: How Municipalities and Gas Pipelines are Vulnerable to Cyberattacks

While the Facebook / Cambridge Analytica scandal has captured the public’s attention, two significant attacks on the City of Atlanta and natural-gas pipeline operators illustrate risk to fundamental human services, including law enforcement and consumer energy. On March, 22 2018, the City of Atlanta reported a ransomware cyberattack on government network servers, including servers hosting data for the Atlanta Police Department, preventing government employees from accessing information necessary to perform their duties. In particular, the police department was effectively handcuffed, and unable to access evidence…
Continue reading...