CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘cyber security’

Beware Phony (or Exaggerated) Software Piracy Claims

Posted on: February 3rd, 2020

By: Jeff Alitz

For more than a decade, software companies or software trade groups/alliances have pursued aggressive cost-recovery strategies against customers and former customers for their alleged unauthorized use (i.e, no license available) of software and other intellectual capital published and marketed by the companies.  While the deliberate use of such software without license is not condoned nor encouraged, the cost recovery tactics – and the targets of such tactics – are not always appropriate nor warranted. The savvy tech user and their counsel should be aware of the most egregious recovery strategies and the best protocol to fight them.

The least scrupulous piracy enforcers may employ a variety of methods, from targeting small and undercapitalized companies with only several software users with the threat of crippling fines to giving whistleblowers not only anonymity but also cash for their reporting of the use of unlicensed software to the imposition of damage multipliers (3X actual damages are common) found in seldom read software-license agreements against even the unintentional use of unlicensed software (even where the user has simply misplaced the license over time). Most often, the law firm or other designees of the software company or trade group initiates contact with an alleged unlicensed software user by a demand for a software audit. If the user cannot demonstrate that the products it uses are fully licensed and up to date and tied to all the users’ employees, the software company sharpens its knives.

What can be done? Obvious, but maintaining and internally broadcasting that all the software IS licensed will go far to discourage whistleblowers and will help thwart the piracy hounds if they continue their hunt. IF violations of the software agreements remain unexplained after the audit is complete and the software company continues its pursuit, the “target” and its counsel can employ a variety of defenses to the claims including arguing any infringement was innocent ( which typically reduces the available fine but does not outright exonerate the software user), focusing on statute of limitations defenses and to project a willingness to defend the license violation allegations while at the same time working to achieve a cents on the dollar settlement with the best release that can be negotiated.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Jeff Alitz at [email protected].

Ransomware Attacks Reached Unprecedented Numbers in 2019

Posted on: January 15th, 2020

By: Melissa Santalone

According to a study published by Emsisoft Malware Lab, an unparalleled number of ransomware attacks hit U.S. businesses and government agencies in 2019.  In total, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts were targeted at a potential cost of more than $7.5 billion.  In many instances, these attacks caused disruptions that placed lives at risk, like when 911 services were interrupted, emergency patients had to be sent to other hospitals, and police were unable to run background checks and check criminal histories and active warrants.

The report analyzed the “why” of the sharp increase of ransomware attacks in 2019 and concluded that organizations continue to have security weaknesses and attackers have developed better ways of exploiting those weaknesses, creating a “perfect storm.”  Emsisoft referenced a 2019 University of Maryland, Baltimore County report based on data from a national survey of cybersecurity in local governments that found a lack of preparedness within the local governments and a lack of funding for cybersecurity.  Many local governments do not even have mechanisms in place to detect or track cyberattacks and even basic best practices are going unused.  The report cited the city of Baltimore’s loss of data after a ransomware attack because data resided only on users’ individual systems for which there was no mechanism for back-up.

It is clear that state and local governments, healthcare providers, and schools need to be better at preventing, detecting and recovering from ransomware and other cyberattacks.  The Emsisoft report recommends multiple actions that should be taken to make public entities more secure, including improved oversight, more guidance, better funding, and mandatory reporting requirements for ransomware and other cybersecurity incidents.  While there are numerous federal and state laws requiring entities to take protective measures to secure the data with which they are trusted, many organizations are failing to comply.  Emsisoft suggests that authorities should implement auditing systems and corrective measures for those entities that fail to meet minimum standards.  Further, the report argues, clear minimum standards must be adopted so organizations can make appropriate decisions about how best to protect themselves and can allocate their resources in better ways.  Because ransomware and other cyberattacks are not always required to be reported, it is also proposed that entities be legally required to do so in an effort to better pool information on such attacks to detect, prevent, and recover from them.

The Data Security, Privacy & Technology attorneys at Freeman Mathis & Gary, LLP are ready, willing, and able to assist entities with compliance with data security and privacy laws and preparing for attacks before they occur.  If you have any questions about detecting, preventing, or responding to ransomware or other cyberattacks, contact Melissa Santalone at [email protected] or any other member of our Data Security, Privacy & Technology team.

A Recent Study on Cybersecurity Among Small Businesses

Posted on: December 18th, 2019

By: Michael Kouskoutis

A recently published report, entitled “Under Attack: The State of MSP Cybersecurity in 2019,” surveyed 200 managed service providers across the country to evaluate the state of cybersecurity among smaller businesses.  (A managed service provider is a company that handles its customers’ IT infrastructure, often remotely.)  The report reveals how small businesses and their managed service providers are underequipped to protect against the newest forms of cybersecurity threats.  In particular, the study found that nearly three-quarters of managed service providers suffered a cyberattack, and over 80% of their small-business customers experienced a cyberattack as well.

What’s most concerning is that two-thirds of managed service providers believe that they are not equipped to defend their customers against a cyberattack, and that this lack of confidence is likely linked to the widening gap among providers in technical skill, knowledge, certifications and accessibility to resources.  The report advises that managed service providers should seek top talent and facilitate training programs aimed at keeping staff up to date on the latest cyber threats and solutions.

Further, managed service providers are reporting difficulty in selling cybersecurity solutions to their customers, leaving customers increasingly vulnerable to the latest cyber threats.  However, prior studies show that small businesses are willing to spend 27% more money for cybersecurity, provided they feel confident in the security package’s ability to offer adequate protection.  In addition to strengthening their services, managed service providers should proactively engage in conversations with their customers about cybersecurity, and not wait until after an attack.  Customers and prospects should be aware of the evolving nature of cyber threats and that proper cybersecurity requires a deliberate and concerted effort among all small business employees.

For more information about cybersecurity or breach response, contact Michael Kouskoutis at [email protected].

What Constitutes a Reasonable and Defensible Process?

Posted on: February 27th, 2019

By: John Goselin

Society has coalesced around the general principle that businesses, governments or individuals in possession of personal confidential information (whether medical or financial) or personal identifiable information have a duty to protect that information from cyber bad guys stealing it. The reputational damage and financial costs associated with a cyber incident cannot be ignored.

But how much protection is enough? How many safeguards is it realistic to expect those in possession of information to put in place to protect that information? In other words, is there a recognized standard of care where the possessor of confidential information can feel comfortable that the protections/safeguards they have put in place are consistent with what the rest of the world is doing? Can you feel comfortable as a business owner, officer, director or IT specialist that what you are doing is reasonable and defensible in front of regulators, judges and potentially a jury?

Five years ago, the U.S Department of Commerce’s National Institute of Standards and Technology rolled out the “Framework for Improving Critical Infrastructure Cybersecurity.” The NIST’s Cyber Security Framework was last updated on April 18, 2018, and is a 48-page process outline that businesses should consider adopting as they assess the appropriate cyber security safeguards for their specific circumstance. According to the NIST, the Framework has been downloaded more than 500,000 times. The NIST Framework is not a definitive list of precisely what steps you should undertake, but it outlines a process for addressing this extremely complex issue. With a vetted, federally-endorsed process, you and your business can credibly state that you took reasonable steps to address a known problem and that the security measures you implemented were the result of a reasonable and defensible process. You will have something to say in your defense! That is a lot better than simply having your head in the sand.

In November 2018, the state of Ohio passed legislation that included a “safe harbor” against cyber liability for covered businesses that have adopted one of fourteen (14) recognized cyber-security process frameworks. In layman’s terms, if a business can show that they followed one of the approved “frameworks,” the business can avoid liability after the bad guys steal the data. The NIST Cyber Security Framework is one of the recognized industry frameworks. More states are likely to follow Ohio’s lead.

There is plenty of information available to help businesses develop a legally defensible process for handling cyber threats. Buckle down, adopt a process, get some help and put your business in a more defensible position vis-à-vis an unfortunate cyber incident.

If you have any questions or would like more information, please contact John Goselin at [email protected].

A Majority of Federal Agencies Are “At Risk” For Further Data Security Incidents

Posted on: June 6th, 2018

By: Allen Sattler

The Office of Management and Budget (“OMB”) performed a cyber security risk assessment of 96 federal agencies, and it recently published its findings in the “Federal Cybersecurity Risk Determination Report and Action Plan.”  The OMB reported that only 25 of the 96 agencies assessed were adequately managing their risk.  Most agencies, 74% of them, were either “at risk” or “high risk.”  A “high risk” rating meant that the agency either did not have in place or failed to sufficiently deploy key, fundamental cybersecurity policies, processes, and tools.

The OMB performed the risk assessment in response to an Executive Order requiring that the OMB develop a plan to adequately protect the executive branch by improving its cybesecurity.  The assessment conducted by the OMB examined the agencies’ ability to identify, detect, and respond to cyber incidents.  Nearly 31,000 cyber incidents affected the 96 agencies in 2016 alone.

The OMB found that most agencies had poor situational awareness.  The OMB explained that those agencies often lacked the information and resources needed to understand or determine the tactics, techniques, and procedures being used by threat actors to exploit their systems.  For instance, in 38% of the cyber incidents analyzed, the agencies affected could not identify the method of attack used by the threat attacker.  The OMB also found that most agencies lack standardized procedures and information technology, which makes mitigating the vulnerabilities of those systems difficult.  For instance, one agency operates 62 separate email services on its systems, making it “virtually impossible” to track and inspect inbound and outbound communications to prevent attacks.  The OMB explained that if the email service is standardized, the agency can then manage the risk.  For instance, it can inspect, detect, and quarantine malicious messages, such as phishing attempts and emails that include attachments with malicious code.

The OMB also found that agencies lack the ability to detect when large amounts of data have been pulled from their systems by an outside attacker.  Only 27% of the agencies reported the ability to detect and investigate whether large amounts of data have been exfiltrated from their systems.  Also, while agencies have largely complied with policies requiring them to encrypt data in transit, less than 16% of agencies achieved their targets for encrypting data at rest.

The findings by the OMB are alarming given that the federal government is often a prime target for attack by cyber criminals, as shown by previous, high-profile breaches.  For instance, in 2015, the Office of Personnel Management sustained a data breach that resulted in the disclosure of fingerprint data belonging to 5.6 million federal employees.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].