RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

States are Busy on the Cyber Front

Posted on: February 19th, 2020

By: Amy C. Bender

2020 is off to a busy start, with several states taking action on cybersecurity legislation and issuing other legal updates. Highlights include:

California – California’s Attorney General has issued revised proposed regulations regarding the California Consumer Privacy Act (“CCPA”), which creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The updates, which are aimed at providing more relief for consumers and clarity to covered businesses, include changes to definitions, notice and other requirements for covered businesses, and consumer rights and requests. The revised proposed regulations are available here and are currently under a public comment period.

Maryland – In the first decision of its kind under Maryland law, a federal court has ruled that a loss of software and data due to a ransomware attack was covered under a business owner’s property insurance policy. Specifically, the court found that the loss qualified as a “direct physical loss of or damage” to covered property (the affected computer server and networked computers) based on the loss of the data and software in the computer system and the loss of functionality to the computer system itself. The court reasoned that the policy did not limit covered losses to tangible property only or to total property losses. The decision is available here.

Massachusetts – The state’s legislature has stalled a proposed consumer data privacy law (available here) that would have imposed notice and disclosure requirements on businesses that collect consumers’ personal information, provided consumers the right to delete and opt out of third-party disclosure of collected personal information, and allowed consumers to sue for violations of the act without having to show any resulting damage. The bill has been sent to a “study order,” where a committee will study it and report its findings.

New York – The Stop Hacks and Improve Electronic Data Security Act (“SHIELD ACT”), available here, amends the state’s existing data breach notification law to require any person or business that owns or licenses computerized data that includes private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including disposal of data. The data security provisions go into effect on March 21, 2020.

Virginia – Similar to Massachusetts, Virginia’s legislature has delayed and referred to study several privacy-related bills, including bills relating to consumer rights regarding access and sale of their personal data, destruction and disposal of records containing personally identifiable information, and collection and safekeeping of biometric data by employers.

Washington – The legislature has introduced a revised version of a proposed law, the Washington Privacy Act (available here), which would apply to certain private business that control or process consumer personal data and that are located within or targeted to residents of the state. The law would provide consumers rights regarding their personal data, impose responsibilities on covered controllers and processors, and regulate facial recognition services. The bill is now scheduled for a public hearing.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Amy Bender at [email protected].

Beware Phony (or Exaggerated) Software Piracy Claims

Posted on: February 3rd, 2020

By: Jeff Alitz

For more than a decade, software companies or software trade groups/alliances have pursued aggressive cost-recovery strategies against customers and former customers for their alleged unauthorized use (i.e, no license available) of software and other intellectual capital published and marketed by the companies.  While the deliberate use of such software without license is not condoned nor encouraged, the cost recovery tactics – and the targets of such tactics – are not always appropriate nor warranted. The savvy tech user and their counsel should be aware of the most egregious recovery strategies and the best protocol to fight them.

The least scrupulous piracy enforcers may employ a variety of methods, from targeting small and undercapitalized companies with only several software users with the threat of crippling fines to giving whistleblowers not only anonymity but also cash for their reporting of the use of unlicensed software to the imposition of damage multipliers (3X actual damages are common) found in seldom read software-license agreements against even the unintentional use of unlicensed software (even where the user has simply misplaced the license over time). Most often, the law firm or other designees of the software company or trade group initiates contact with an alleged unlicensed software user by a demand for a software audit. If the user cannot demonstrate that the products it uses are fully licensed and up to date and tied to all the users’ employees, the software company sharpens its knives.

What can be done? Obvious, but maintaining and internally broadcasting that all the software IS licensed will go far to discourage whistleblowers and will help thwart the piracy hounds if they continue their hunt. IF violations of the software agreements remain unexplained after the audit is complete and the software company continues its pursuit, the “target” and its counsel can employ a variety of defenses to the claims including arguing any infringement was innocent ( which typically reduces the available fine but does not outright exonerate the software user), focusing on statute of limitations defenses and to project a willingness to defend the license violation allegations while at the same time working to achieve a cents on the dollar settlement with the best release that can be negotiated.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Jeff Alitz at [email protected].

Two-Factor Authentication—Not Broken Yet, But the Bad Guys Are Doing Their Worst

Posted on: January 27th, 2020

By: Barry Miller

If a cybersecurity gold standard exists, it is two-factor authentication (“2FA”).

Or it was.

As the name implies, 2FA is a two-level approach. Level one usually is a password. The second level is typically a random digital code (a “token”) created by or transmitted to a separate device. After entering their password, users then have to supply the token. Because the second-factor changes with every use, the assumption was that the only way to break 2FA would be to hack both levels—password and token.

Shortly before Christmas ZDNet reported that a group sponsored by the Chinese government managed to bypass 2FA in a “wave of attacks.” Government entities and providers in the aviation, healthcare, finance, insurance, and energy were the main targets. Their method bypassed 2FA not by intercepting the token sent to the user, but by creating another valid token.

This followed a November report from gPost that a whitehat hacker showed how Gmail’s 2FA could be vulnerable; and another December story that hackers were using an Android app advertised as a battery utility app to bypass 2FA to steal money from PayPal accounts.

All of which prompted threatpost to ask several security experts whether 2FA is broken. The consensus was that, while 2FA is not perfect, using it still is better than not using it. “Any sort of 2FA is still leaps and bounds better than no 2FA at all,” Jason Kichen told threatpost. Because so many entities still do not require 2FA, using it “means you’re a harder target than the user next to you.”

A second consensus among the threatpost experts is that even the best 2FA system will not compensate for failing to set and follow policies, and failing to train users.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Barry Miller at [email protected].

Ransomware Attacks Reached Unprecedented Numbers in 2019

Posted on: January 15th, 2020

By: Melissa Santalone

According to a study published by Emsisoft Malware Lab, an unparalleled number of ransomware attacks hit U.S. businesses and government agencies in 2019.  In total, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts were targeted at a potential cost of more than $7.5 billion.  In many instances, these attacks caused disruptions that placed lives at risk, like when 911 services were interrupted, emergency patients had to be sent to other hospitals, and police were unable to run background checks and check criminal histories and active warrants.

The report analyzed the “why” of the sharp increase of ransomware attacks in 2019 and concluded that organizations continue to have security weaknesses and attackers have developed better ways of exploiting those weaknesses, creating a “perfect storm.”  Emsisoft referenced a 2019 University of Maryland, Baltimore County report based on data from a national survey of cybersecurity in local governments that found a lack of preparedness within the local governments and a lack of funding for cybersecurity.  Many local governments do not even have mechanisms in place to detect or track cyberattacks and even basic best practices are going unused.  The report cited the city of Baltimore’s loss of data after a ransomware attack because data resided only on users’ individual systems for which there was no mechanism for back-up.

It is clear that state and local governments, healthcare providers, and schools need to be better at preventing, detecting and recovering from ransomware and other cyberattacks.  The Emsisoft report recommends multiple actions that should be taken to make public entities more secure, including improved oversight, more guidance, better funding, and mandatory reporting requirements for ransomware and other cybersecurity incidents.  While there are numerous federal and state laws requiring entities to take protective measures to secure the data with which they are trusted, many organizations are failing to comply.  Emsisoft suggests that authorities should implement auditing systems and corrective measures for those entities that fail to meet minimum standards.  Further, the report argues, clear minimum standards must be adopted so organizations can make appropriate decisions about how best to protect themselves and can allocate their resources in better ways.  Because ransomware and other cyberattacks are not always required to be reported, it is also proposed that entities be legally required to do so in an effort to better pool information on such attacks to detect, prevent, and recover from them.

The Data Security, Privacy & Technology attorneys at Freeman Mathis & Gary, LLP are ready, willing, and able to assist entities with compliance with data security and privacy laws and preparing for attacks before they occur.  If you have any questions about detecting, preventing, or responding to ransomware or other cyberattacks, contact Melissa Santalone at [email protected] or any other member of our Data Security, Privacy & Technology team.

A Recent Study on Cybersecurity Among Small Businesses

Posted on: December 18th, 2019

By: Michael Kouskoutis

A recently published report, entitled “Under Attack: The State of MSP Cybersecurity in 2019,” surveyed 200 managed service providers across the country to evaluate the state of cybersecurity among smaller businesses.  (A managed service provider is a company that handles its customers’ IT infrastructure, often remotely.)  The report reveals how small businesses and their managed service providers are underequipped to protect against the newest forms of cybersecurity threats.  In particular, the study found that nearly three-quarters of managed service providers suffered a cyberattack, and over 80% of their small-business customers experienced a cyberattack as well.

What’s most concerning is that two-thirds of managed service providers believe that they are not equipped to defend their customers against a cyberattack, and that this lack of confidence is likely linked to the widening gap among providers in technical skill, knowledge, certifications and accessibility to resources.  The report advises that managed service providers should seek top talent and facilitate training programs aimed at keeping staff up to date on the latest cyber threats and solutions.

Further, managed service providers are reporting difficulty in selling cybersecurity solutions to their customers, leaving customers increasingly vulnerable to the latest cyber threats.  However, prior studies show that small businesses are willing to spend 27% more money for cybersecurity, provided they feel confident in the security package’s ability to offer adequate protection.  In addition to strengthening their services, managed service providers should proactively engage in conversations with their customers about cybersecurity, and not wait until after an attack.  Customers and prospects should be aware of the evolving nature of cyber threats and that proper cybersecurity requires a deliberate and concerted effort among all small business employees.

For more information about cybersecurity or breach response, contact Michael Kouskoutis at [email protected].