RSS Feed LinkedIn Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Target Pays Largest Ever Data Breach Settlement

Posted on: June 2nd, 2017

By: Amy C. Bender

Target has agreed to pay $18.5 million to settle claims by almost all 50 states – the largest multistate settlement and largest data breach settlement in history – arising from the 2013 incident where hackers accessed Target’s gateway server through credentials stolen from a third-party vendor and then used malware to acquire personal information from over 40 million credit and debit card accounts and contact information for more than 60 million customers. As part of the settlement, Target is required to adopt a comprehensive information security program, employ an executive to implement the changes, retain an independent third party to conduct a security assessment, and encrypt customer card and personal information, among other measures. Target separately has agreed to pay another $10 million settlement to consumers affected by the breach.

This is yet another cautionary tale of the pitfalls of a business failing to maintain and monitor effective data security measures. FMG’s Cyber team is available to help your organization be prepared for and respond to such an attack.


WannaCry Brings New Focus on Cyber Insurance and Privacy Impact Assessments

Posted on: May 18th, 2017

By: Jonathan M. Romvary

In the wake of last week’s WannaCry ransomware attack that crippled nearly 200,000 computers across 150 nations, businesses around the world must reassess how they can protect themselves from the seemingly inevitable cyber-attack. According to the 2017 Verizon Data Breach Investigations Report, ransomware continues to be one of the most popular attacks used by criminals due to its availability and ease of use.

It is reported that nearly nine out of ten cyber insurance policies are issued in the United States. The reason for the overwhelming adoption of policies within the United States market can be traced to adoption of federal statutes and regulations governing online privacy and well established state data breach statutes imposing regulatory penalties and private causes of action. The European Union, until the recent adoption of the General Data Protection Regulation (GDPR), simply did not provide its businesses with the same quantifiable incentive. Whether as a result of the WannaCry ransomware attack, or in anticipation of the implementation of the GDPR, you can expect to see a surge in demand from European companies

But insurance is only a part of the solution as there are many instances where the insurance coverage explicitly excludes certain situations. These can include where companies have failed to download a software patch to protect users from known vulnerabilities, where employees using pirated software are the entry point for the virus into the system, or even where there is a claim for business interruption. However, if data is truly lost because it has been destroyed or completely removed from the system, no amount of insurance will be able to recover it.

So how do businesses protect themselves from such a crippling attack? As they say in sports, the best defense is a good offense. The easiest way to protect yourself is by updating your computer to include the most recent security patches that are offered by the manufacturer or developers. But remember, staying secure against ransomware isn’t just about having the latest security solutions. Good IT security practices including regular training for employees and data and privacy policies drafted by your attorneys, are essential to reduce the risk of an attack. Businesses should also perform a privacy and privacy impact assessments of their computer systems to identify and address any potential weaknesses. Make sure that whoever is performing the assessment, whether your CIO, IT, or attorney, is utilizing privacy frameworks accepted by your industry’s ISO or other accepted framework. Some good examples include the APEC Privacy Framework, the OECD Privacy Framework, or the FTC’s report, Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policy Makers.

Remember, the Cyber, Data Security, and Privacy practice group attorneys are here to assist you in any way. Please contact Jonathan Romvary at [email protected] if you have any questions regarding how your business can perform an assessment of its system to further protect against unwanted cyber attacks.


WannaCry Ransomware Cyberattack Brings Tears to the Eyes of Businesses in More than 150 Countries

Posted on: May 18th, 2017

By: Robyn Flegal

As of May 18, 2017, more than 200,000 computers in 150 countries have been hit by a large-scale ransomware attack. Victims of the attack include the British National Health Service, FedEx, and Renault. By exploiting a vulnerability in outdated versions of Microsoft Windows, including Windows XP, the “WannaCry” ransomware encrypts data on devices running unsupported Microsoft software. The data is held hostage until the victim pays a ransom of approximately $300 per device.

While it is not yet clear who is to blame or how this could have been prevented, the costs associated with this attack are much higher than the $300 ransom. Business was lost while devices were encrypted. Experts also believe that businesses running outdated versions of Windows could face liability as a result of this attack. This is because Microsoft offered a security patch for these vulnerabilities in March of 2017, but many users had not yet applied the patch or had not otherwise updated their software. Those affected in Asia and Europe face an increased risk of exposure, as almost 90% of cyber insurance policies are sold within the United States.

To avoid WannaCry and other future cyberattacks, be sure to upgrade your Microsoft systems and regularly install software updates when they become available. If you are running Windows XP or other older versions of Windows, please be aware that Microsoft is offering free security updates via its website.

The Cyber, Data Security, and Privacy practice group attorneys are here to assist you. Please contact Robyn Flegal at [email protected] for more information.



Tennessee Re-Amends its Data Breach Notification Statute

Posted on: May 5th, 2017

By: Kacie L. Manisco

As we discussed in a prior blog post last year, in March 2016, Tennessee enacted an amendment to its data breach notification law that seemingly removed the encryption safe harbor, creating uncertainty over whether such a safe harbor continued to exist.

Just one year after this law took effect, Tennessee has again amended its data breach notification statute to exclude encrypted information from the definition of “personal information.” The new amendment serves to clear up the uncertainty caused by the 2016 amendment, and provides that the breach of encrypted data does not trigger notification to affected individuals unless the encryption key is also compromised.

The law now also contains a clearer definition of “encrypted” data, stating that it must be in accordance with the current version of the Federal Information Processing Standard (“FIPS”). Tennessee is unique among the state breach notification laws in citing to the FIPS as a reference for what constitutes encrypted data.

The amendment further clarifies the notification deadline to be either 45 days after discovery of the breach, or 45 days after a law enforcement agency investigating the incident determines that notification will not compromise a criminal investigation.

Finally, the amendment provides that notice can be made by email if the notice is either consistent with the E-Sign Act, or if the organization’s primary method of communication with the individual was by electronic means.

In light of these changes, Tennessee organizations should review their data security measures and response plans to ensure that they are prepared for and can respond efficiently to a data breach, and detect when one occurs. Working with experienced and knowledgeable cyber attorneys is important in that regard, and the attorneys in our Cyber Liability, Data Security & Privacy team keep up to date on all of these changes and other developments in the law. Please contact us to discuss how we can help your organization.

For any questions you may have please contact Kacie Manisco at [email protected].

Failing to Examine Risks Leads to Data Breach and Hefty Settlement Payout

Posted on: April 24th, 2017

By: Melissa Santalone

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced a $400,000 settlement with Metro Community Provider Network (MCPN), a Federally Qualified Health Center providing primary medical care and other health-related services in the Denver area, of an alleged HIPAA violation which resulted in a data breach due to a 2012 phishing scam. On January 27, 2012, MCPN filed a breach report with the OCR indicating that a hacker had used phishing emails to access employee email accounts, resulting in the compromise of electronic protected health information (ePHI) of 3,200 individuals. The OCR’s investigation of the breach revealed that MCPN had never conducted a security risk analysis of the vulnerabilities of the confidentiality, integrity, and availability of its ePHI prior to the discovery of the breach in violation of HIPAA. Further, once it did do a risk analysis, MCPN failed to do one sufficient to satisfy the HIPAA Security Rule. As part of the settlement, in addition to paying out a fine of $400,000, MCPN has agreed to implement a corrective action plan that requires it to conduct a comprehensive risk analysis and submit a written report to the OCR. Following the risk assessment, MCPN must also develop and enact an organization-wide risk management plan, including reviewing and revising its security policies and procedures and training materials.

This settlement highlights the importance of conducting regular, thorough risk analyses for all organizations subject to the requirements of HIPAA.  According to the OCR Guidance, which may be found here, a thorough risk analysis may involve:

  • Identification of the variety of ePHI an organization creates, collects, maintains, or transmits;
  • Identification of the location(s) where ePHI is stored;
  • Identification and documentation of threats to and vulnerabilities to ePHI;
  • Assessment of current security measures;
  • Assessment of the potential impact of the threat(s);
  • Assessment of the level of risk;
  • Documentation of the overall analysis.

While MCPN failed to do one at all until after it suffered a breach, the belief that doing one is enough is not uncommon. The OCR Guidance on this topic suggests periodic review. Significant changes in organizational structure or size or the implementation of new technology need to equate to updated risk assessments. If you need assistance with your HIPAA risk assessments, FMG’s Cyber Liability, Data Security & Privacy group is here to help.