RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘cybersecurity’

The State of Cyber Threats in 2020 and Ongoing Risks to Small and Medium-Size Companies

Posted on: May 13th, 2020

By: Renata Hoddinott

As we approach mid-year 2020, we look back on trends in data breaches and the landscape of cyber threats compared to 2019 as we continue to advise our clients before, during, and after a cyber incident.  Risk-Based Security recently issued its analytics for Q1 2020, finding that the number of publicly reported breaches in Q1 2020 decreased by 42% compared to Q1 2019. That decrease may be due to both disruptions in reporting breaches due to the coronavirus pandemic and the unusually high number of breaches reported last year.

But the number of records exposed in Q1 2020 surged to a record 8.4 billion, an increase of 273% compared to the same time last year. This number is particularly daunting when you consider the enforcement date for the CCPA is quickly approaching on July 1st with no news of any delay in enforcement from the California Attorney General.

While that number is certainly daunting, a possible silver lining is despite the large number of records, around 68% of breaches exposed fewer than 1,000 records. In fact, of the billions of records exposed, one breach was responsible for 5.1 billion of those records, 11 breaches exposed more than 100 million records each, and five breaches exposed between 10 and 99 million records. So, while cyber threats continue to rise, the majority of those threats continue to affect small and mid-size companies.

Unsurprisingly, in the reported breaches to date this year, the vast majority of reported breaches (70%) were the result of unauthorized access to systems or services. Thus, the largest threat to companies continues to be phishing scams and other social engineering aimed at gathering employee data and credentials. Given the unprecedented work-from-from mobilization of employees around the world, these schemes are an even bigger threat. Bad actors are thriving on the current conditions, their schemes fed by the actions of employees desperate for information on pandemic updates, remote working tools, and official news on potential reopening of businesses and social restrictions.

History has shown that recessions tend to lead to an increase in cybercrime. Most economic experts are convinced the country is headed towards a recession, if not already there. Thus, as the pandemic continues, lockdown orders are extended or only partially lifted, and employees to continue to work from home (indefinitely for many), companies must remain vigilant. Now more than ever companies must reinforce employee training as well as update security software and protocols to protect themselves and the records of their employees and customers stored in their systems.

Cyber Attack on HHS is a Reminder for Businesses to Remain Vigilant About Cybersecurity During the COVID-19 Pandemic

Posted on: March 17th, 2020

By: Renata Hoddinott

Amidst all the information and news flooding the internet regarding COVID-19, another troubling headline emerged this morning: an unknown actor launched a cyber attack on the Department of Health and Human Services (HHS) on Sunday. The attack was not a hack in the traditional sense, and no data was stolen from HHS’s systems. Rather it was an attempt to slow down HHS’s COVID-19 response by flooding the site with millions of requests over the course of several hours. It was a distributed denial of service – or DDOS – attack. The distinction is important because there was no apparent breach of the system of the lead agency responding to the coronavirus pandemic, and none of HHS’s critical functions were interrupted. HHS’s system was largely able to repel the intrusion, the agency was fully functioning at all times, and its site never crashed. But while the attack was unsuccessful, it is a harbinger of things to come and businesses should take note.

Most corporations and firms with the capability to do so have permitted, encouraged, or even mandated their employees to work from home for an extended amount of time to limit the spread of the virus. All of that remote access may be on potentially less secure networks should raise some concerns for those businesses. Bad actors will no doubt use the opportunity to gain access to less secure devices and networks to penetrate systems they may not have had access to previously due to the security in place for devices “in-house.”

Now is the time to remind remote employees to practice basic sense and security in ensuring they are only accessing company systems on private, password-protected networks. Employees also need to be watching for social engineering and phishing attacks. It may seem as though the email from the boss asking for password information or the firm’s credit card number is legitimate because employees do not have the ability to walk down the hall and ask.

And, for some smaller enterprises who may be new to remote-access, some systems may have been rolled out untested in certain circumstances to ensure business continuity. In those cases, it will be important to ensure that when restrictions are lifted and employees are able to return to work that those remote system are analyzed and secured from future threats.

This pandemic has unexpectedly and almost immediately changed the way business is conduct day-to-day around the globe. It remains to be seen whether those changes will be permanent. While most people are pulling together in this outbreak, malicious actors will always be looking for every opportunity to take advantage of the situation. During the period of social distancing and self-quarantining, individuals are desperate for up to the minute information on the crisis. Businesses need to be aware that attackers will attempt to exploit the human element now more than ever. And, as we all know, there is almost always a human element – whether an honest mistake or negligence – in most cybersecurity incidents.

In addition, FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

States are Busy on the Cyber Front

Posted on: February 19th, 2020

By: Amy C. Bender

2020 is off to a busy start, with several states taking action on cybersecurity legislation and issuing other legal updates. Highlights include:

California – California’s Attorney General has issued revised proposed regulations regarding the California Consumer Privacy Act (“CCPA”), which creates consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The updates, which are aimed at providing more relief for consumers and clarity to covered businesses, include changes to definitions, notice and other requirements for covered businesses, and consumer rights and requests. The revised proposed regulations are available here and are currently under a public comment period.

Maryland – In the first decision of its kind under Maryland law, a federal court has ruled that a loss of software and data due to a ransomware attack was covered under a business owner’s property insurance policy. Specifically, the court found that the loss qualified as a “direct physical loss of or damage” to covered property (the affected computer server and networked computers) based on the loss of the data and software in the computer system and the loss of functionality to the computer system itself. The court reasoned that the policy did not limit covered losses to tangible property only or to total property losses. The decision is available here.

Massachusetts – The state’s legislature has stalled a proposed consumer data privacy law (available here) that would have imposed notice and disclosure requirements on businesses that collect consumers’ personal information, provided consumers the right to delete and opt out of third-party disclosure of collected personal information, and allowed consumers to sue for violations of the act without having to show any resulting damage. The bill has been sent to a “study order,” where a committee will study it and report its findings.

New York – The Stop Hacks and Improve Electronic Data Security Act (“SHIELD ACT”), available here, amends the state’s existing data breach notification law to require any person or business that owns or licenses computerized data that includes private information of New York residents to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information, including disposal of data. The data security provisions go into effect on March 21, 2020.

Virginia – Similar to Massachusetts, Virginia’s legislature has delayed and referred to study several privacy-related bills, including bills relating to consumer rights regarding access and sale of their personal data, destruction and disposal of records containing personally identifiable information, and collection and safekeeping of biometric data by employers.

Washington – The legislature has introduced a revised version of a proposed law, the Washington Privacy Act (available here), which would apply to certain private business that control or process consumer personal data and that are located within or targeted to residents of the state. The law would provide consumers rights regarding their personal data, impose responsibilities on covered controllers and processors, and regulate facial recognition services. The bill is now scheduled for a public hearing.

Freeman Mathis & Gary’s Data Privacy and Security Practice Group is here to help clients with policies and training. If you have any questions or would like more information, please contact Amy Bender at [email protected].

Latest Study in Cybersecurity Awareness and End User Behaviors

Posted on: September 5th, 2019

By: Michael Kouskoutis

Cybersecurity awareness company Proofpoint recently published its fourth-annual Beyond the Phish report, which analyzes end-user behavior and employee knowledge on cybersecurity.  Gathering from over 130 million data points across 14 categories, 16 industries and over 20 departments, this report is regarded as among the most useful cybersecurity studies published each year.

Notable findings include:

  • Participants incorrectly answered about 1 in 4 questions regarding identification of phishing threats.
  • Participants showed poor awareness surrounding risky communication channels (like connecting to public WiFi networks), and struggled to identify distinctions between public and private data.
  • Participants treat mobile devices differently, often taking greater risks than with stationary computers.
  • In comparison with prior reports, users have a greater understanding of ransomware and are becoming better at recognizing malicious pop-ups.
  • End users are also increasingly using physical security practices, such as locking devices before leaving them unattended.
  • End users in the finance industry performed the best, while those in education and transportation were the worst performing users across all industries.
  • End users in hospitality performed the worst in the “Physical Security Risks” category.
  • Workers in the insurance industry performed particularly well in the “Avoiding Ransomware Attacks” category.
  • Communications was the best performing department among all industries, while customer service, facilities and security departments performed the worst.
  • 83% of global organizations experienced phishing attacks in 2018.

The study also reported a significant increase in safe behaviors in organizations that offer continuous training across all cyber topics.  With human error being the leading cause of cybersecurity breaches, businesses should make cyber awareness a core component of employee training and offer continual training programs that are up-to-date with the latest threats to cybersecurity.  For more information with cyber data security or breach response, contact Michael Kouskoutis at [email protected].

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.