Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

Category Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things

Posted in Cybersecurity, Online Privacy
With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers.… Continue Reading

Encryption: The Battle Between Privacy and Counterterrorism

Posted in Cybersecurity
For privacy advocates, it is universally accepted that encryption is a very good thing. After all, encrypted data is deemed a safe harbor under HIPAA and state breach-notification laws, providing an “out” from potential fines and penalties when an encrypted device is lost that contains sensitive health or other personal information. In addition to encouraging… Continue Reading

The CFTC’s Proposed Standards Identify Cybersecurity Best Practices

Posted in Cybersecurity
The Commodity Futures Trading Commission (CFTC) offered several reasons for proposing five new cybersecurity testing requirements for the commodity trading platforms it regulates in its December 23, 2015, Notice of Proposed Rulemaking: More than half of the securities exchanges surveyed in 2013 reported that they had been the victim of cyberattacks. 80 Fed Reg. at… Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

Posted in Cybersecurity, Incident Response
The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your… Continue Reading

EU’s Network and Information Security Directive: Regulating “operators of essential services” and “digital service providers”

Posted in Cybersecurity
The European Union continues to move forward with a proposed unified framework to strengthen network and information security systems across its member countries. On December 18, 2015, the Permanent Representatives Committee (Coreper) approved a provisional agreement reached on December 7, 2015, by the European Parliament and European Council on the Network and Information Security Directive… Continue Reading

Disregard CISA Chicken Littles: CISA Boosts U.S. Cyber Defense While Protecting Privacy

Posted in Cybersecurity
Yes: the Cyber Information Sharing Act of 2015 (CISA) was slipped into the must-pass Omnibus Spending Bill last week by House negotiators and became law on Friday. No: despite protestations from some quarters, the sky has not fallen on our personal privacy. Although critics decry CISA for providing the National Security Agency (NSA) with a… Continue Reading

What the FTC’s Settlement With Wyndham Means for Your Company

Posted in Cybersecurity, Data Breaches
The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and… Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

Posted in Cybersecurity, Information Security
On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from… Continue Reading

Threat Intelligence Tools Help Defend Networks

Posted in Cybersecurity
Threat intelligence services provide information about the identities, motivations, characteristics, and methods of attackers. See Rob McMillan, Khushbu Pratap, “Market Guide for Security Threat Intelligence Services,” 3, Gartner (October 14, 2014). “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets to… Continue Reading

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

Posted in Cybersecurity, Incident Response
A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an… Continue Reading

Challenging FTC Regulation of Cyber-security After FTC v. Wyndham

Posted in Cybersecurity
The Third Circuit interlocutory decision in Federal Trade Commission v. Wyndham Worldwide Corporation was widely reported as a big win for the Federal Trade Commission (“FTC”). But on closer examination, it was a split decision in which Wyndham Worldwide Corporation (“Wyndham”) can claim an important victory. While affirming the FTC’s authority to regulate cyber-security practices… Continue Reading

NAIC Adopts Cybersecurity Bill of Rights

Posted in Cybersecurity
The National Association of Insurance Commissioners (“NAIC”) continued its efforts to advance cybersecurity in the insurance industry when it recently adopted the Cybersecurity Bill of Rights. The Cybersecurity Bill of Rights provides a set of directives for insurance companies to follow that are aimed at protecting the data of consumers. The Cybersecurity Bill of Rights… Continue Reading

Colleges and Universities Are Prime Cyberattack Targets: What’s Behind the Threat?

Posted in Cybersecurity, Incident Response
When it comes to cyberattack targets, many think of retailers and associated credit card transactions or customer information, or perhaps healthcare providers with their ever-increasing storage and transmission of electronic information related to patients. But colleges and universities are increasingly under siege from hackers. In fact, the education sector, according to recent reports, comes in… Continue Reading

CA AG Requires Chief Privacy Officer and Privacy Compliance Program

Posted in Cybersecurity, Enforcement
California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording… Continue Reading

The SEC OCIE Announces Increased Scrutiny of Broker-Dealers’ and Investment Advisers’ Cybersecurity Programs

Posted in Cybersecurity
On September 15, 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. OCIE is building on its previous cybersecurity examinations to increase… Continue Reading

DOD Adopts Interim Cyber Rules As Claims of Chinese Cyber Attacks Continue

Posted in Cybersecurity, International Privacy Law
U.S. officials have blamed Chinese government-backed attackers for many of the recent cyber attacks on U.S. government and business computer networks: “Researchers and government officials have determined that the Chinese group that attacked the office [of Personnel Management] was probably the same one that seized millions of records held by the health care firms Anthem… Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation… Continue Reading

Lloyd’s Report Highlights Risk of Cyberattacks on National Power Grid

Posted in Cybersecurity, Infrastructure
A sophisticated cyberattack on the U.S. power grid could cause nearly $250 billion in economic losses and, under the most severe circumstances, cost more than $1 trillion to the U.S. economy, according to a recent report prepared by Lloyd’s and the University of Cambridge Centre for Risk Studies. The Business Blackout Report considers the impacts… Continue Reading

An Ounce of Prevention Is Better (and Cheaper) Than a Pound of Cure: It’s time for a data protection checkup.

Posted in Cybersecurity, Incident Response, Information Governance, Online Privacy
We recently released the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. The report shows that human error was the number one cause of data security incidents we worked on last year, with employee negligence responsible… Continue Reading

A Deeper Dive: Risk Assessments Are a Necessary Step in Creating Layered Cyber Defenses

Posted in Cybersecurity, Incident Response, International Privacy Law
We have released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Tens of thousands of cyber attackers employed by Chinese People’s Liberation Army and other employees and contractors of the Chinese Ministry of State Security work… Continue Reading

Lost, Unencrypted Laptop Leads FINRA to Fine a Broker-Dealer $225,000 for Violating Reg S-P

Posted in Cybersecurity
With the recent focus by the SEC and FINRA on cybersecurity for broker-dealers and investment advisers as a backdrop, FINRA recently brought and settled an enforcement action under SEC Regulation S-P against broker-dealer Sterne, Agee & Leach, Inc. The case arose from a May 2014 incident in which a Sterne information technology employee inadvertently left… Continue Reading

2015 BakerHostetler Incident Response Report Shows One in Five Breaches Involved Paper Records

Posted in Cybersecurity, Data Breach Notification Laws, Data Breaches, Incident Response
BakerHostetler’s inaugural Data Security Incident Response Report offers a wealth of information regarding the causes of data security breaches, the manner in which those incidents are handled, and the legal and regulatory aftermath for affected companies. Among the Report’s interesting takeaways is a rebuttal of the popular assumption that data security incidents are all about… Continue Reading