CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Ransomware Attacks Reached Unprecedented Numbers in 2019

Posted on: January 15th, 2020

By: Melissa Santalone

According to a study published by Emsisoft Malware Lab, an unparalleled number of ransomware attacks hit U.S. businesses and government agencies in 2019.  In total, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts were targeted at a potential cost of more than $7.5 billion.  In many instances, these attacks caused disruptions that placed lives at risk, like when 911 services were interrupted, emergency patients had to be sent to other hospitals, and police were unable to run background checks and check criminal histories and active warrants.

The report analyzed the “why” of the sharp increase of ransomware attacks in 2019 and concluded that organizations continue to have security weaknesses and attackers have developed better ways of exploiting those weaknesses, creating a “perfect storm.”  Emsisoft referenced a 2019 University of Maryland, Baltimore County report based on data from a national survey of cybersecurity in local governments that found a lack of preparedness within the local governments and a lack of funding for cybersecurity.  Many local governments do not even have mechanisms in place to detect or track cyberattacks and even basic best practices are going unused.  The report cited the city of Baltimore’s loss of data after a ransomware attack because data resided only on users’ individual systems for which there was no mechanism for back-up.

It is clear that state and local governments, healthcare providers, and schools need to be better at preventing, detecting and recovering from ransomware and other cyberattacks.  The Emsisoft report recommends multiple actions that should be taken to make public entities more secure, including improved oversight, more guidance, better funding, and mandatory reporting requirements for ransomware and other cybersecurity incidents.  While there are numerous federal and state laws requiring entities to take protective measures to secure the data with which they are trusted, many organizations are failing to comply.  Emsisoft suggests that authorities should implement auditing systems and corrective measures for those entities that fail to meet minimum standards.  Further, the report argues, clear minimum standards must be adopted so organizations can make appropriate decisions about how best to protect themselves and can allocate their resources in better ways.  Because ransomware and other cyberattacks are not always required to be reported, it is also proposed that entities be legally required to do so in an effort to better pool information on such attacks to detect, prevent, and recover from them.

The Data Security, Privacy & Technology attorneys at Freeman Mathis & Gary, LLP are ready, willing, and able to assist entities with compliance with data security and privacy laws and preparing for attacks before they occur.  If you have any questions about detecting, preventing, or responding to ransomware or other cyberattacks, contact Melissa Santalone at [email protected] or any other member of our Data Security, Privacy & Technology team.

A Recent Study on Cybersecurity Among Small Businesses

Posted on: December 18th, 2019

By: Michael Kouskoutis

A recently published report, entitled “Under Attack: The State of MSP Cybersecurity in 2019,” surveyed 200 managed service providers across the country to evaluate the state of cybersecurity among smaller businesses.  (A managed service provider is a company that handles its customers’ IT infrastructure, often remotely.)  The report reveals how small businesses and their managed service providers are underequipped to protect against the newest forms of cybersecurity threats.  In particular, the study found that nearly three-quarters of managed service providers suffered a cyberattack, and over 80% of their small-business customers experienced a cyberattack as well.

What’s most concerning is that two-thirds of managed service providers believe that they are not equipped to defend their customers against a cyberattack, and that this lack of confidence is likely linked to the widening gap among providers in technical skill, knowledge, certifications and accessibility to resources.  The report advises that managed service providers should seek top talent and facilitate training programs aimed at keeping staff up to date on the latest cyber threats and solutions.

Further, managed service providers are reporting difficulty in selling cybersecurity solutions to their customers, leaving customers increasingly vulnerable to the latest cyber threats.  However, prior studies show that small businesses are willing to spend 27% more money for cybersecurity, provided they feel confident in the security package’s ability to offer adequate protection.  In addition to strengthening their services, managed service providers should proactively engage in conversations with their customers about cybersecurity, and not wait until after an attack.  Customers and prospects should be aware of the evolving nature of cyber threats and that proper cybersecurity requires a deliberate and concerted effort among all small business employees.

For more information about cybersecurity or breach response, contact Michael Kouskoutis at [email protected].

The Ethical Duty of Technology Competence – The Day is Coming in California

Posted on: December 5th, 2019

By: Renata Hoddinott

Recognizing the emergence of technology, its impact on the practice of law, and the importance of lawyers understanding technology, the American Bar Association modified its Model Rules in 2012 to make clear a lawyer’s duty of competence includes both a substantive knowledge of the law and the competent use of technology. ABA Model Rule 1.1 Comment 8 provides, in part, that, “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice including the benefits and risks associated with relevant technology.”

Since then, 38 states* have now adopted some version of Comment 8. In 2016, Florida went even further and became the first state to require lawyers to complete three hours of continuing legal education on technology every three years. In 2019, North Carolina followed suit and requires lawyers to complete one hour of continuing education devoted to technology training every year.

But where California normally leads the nation in many areas, in this it is in the minority of hold-out states which have not adopted a version of Comment 8. While the State Bar of California’s Standing Committee on Professional Responsibility and Conduct has issued several opinions involving technology to date, California has not yet expressly referred to a technology component of a lawyer’s duty of competence in its Rules of Professional Conduct.

There are constantly emerging technologies to assist lawyers in delivering legal services to their clients. In the past, lawyers were deemed competent based on their experience and knowledge of a substantive area of law. As technology evolved, so too did the concept of competence. Types of  technology used  by today’s lawyers include the technology used to run a law firm and practice, case management software, billing software, and email, as well as data security to protect client confidentiality, technology used to present information to the court, electronic discovery, saving client information in the cloud and other third-party service platforms, and the use of social media such as Facebook, LinkedIn, and blogs. There is also the growing area of artificial intelligence or AI which is transforming the way lawyers and law firms perform legal research, due diligence, document review, and even more.

While these technologies offer many benefits to help increase efficiency, minimize mistakes, and decrease labor costs, there are also associated risks and pitfalls. Technology competence includes an understanding of the technology a lawyer currently utilizes in his or her practice, the additional technology available, and the technology that a client or prospective client uses or owns. Lawyers who are not technologically competent may be putting their clients and themselves at a disadvantage, as well as potentially risking a malpractice action in certain cases.

Attorneys must recognize the ways in which technology influences the practice of law in California. While it is not yet mandated as in many other states, that day is coming soon. And while technology continues to advance faster than developments in California law, lawyers should consider their duties of competence, diligence, supervision, and maintaining confidentiality when implementing and using technology.

*The states which have adopted some version of Comment 8 are: Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

If you have any questions or would like more information, please contact Renata Hoddinott at [email protected], or any other member of our Lawyers Professional Liability Practice Group, a list of which can be found at www.fmglaw.com.

Latest Study in Cybersecurity Awareness and End User Behaviors

Posted on: September 5th, 2019

By: Michael Kouskoutis

Cybersecurity awareness company Proofpoint recently published its fourth-annual Beyond the Phish report, which analyzes end-user behavior and employee knowledge on cybersecurity.  Gathering from over 130 million data points across 14 categories, 16 industries and over 20 departments, this report is regarded as among the most useful cybersecurity studies published each year.

Notable findings include:

  • Participants incorrectly answered about 1 in 4 questions regarding identification of phishing threats.
  • Participants showed poor awareness surrounding risky communication channels (like connecting to public WiFi networks), and struggled to identify distinctions between public and private data.
  • Participants treat mobile devices differently, often taking greater risks than with stationary computers.
  • In comparison with prior reports, users have a greater understanding of ransomware and are becoming better at recognizing malicious pop-ups.
  • End users are also increasingly using physical security practices, such as locking devices before leaving them unattended.
  • End users in the finance industry performed the best, while those in education and transportation were the worst performing users across all industries.
  • End users in hospitality performed the worst in the “Physical Security Risks” category.
  • Workers in the insurance industry performed particularly well in the “Avoiding Ransomware Attacks” category.
  • Communications was the best performing department among all industries, while customer service, facilities and security departments performed the worst.
  • 83% of global organizations experienced phishing attacks in 2018.

The study also reported a significant increase in safe behaviors in organizations that offer continuous training across all cyber topics.  With human error being the leading cause of cybersecurity breaches, businesses should make cyber awareness a core component of employee training and offer continual training programs that are up-to-date with the latest threats to cybersecurity.  For more information with cyber data security or breach response, contact Michael Kouskoutis at [email protected].

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.