Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Six Proposals to Stop IoT-Based DDoS Attacks

On Oct. 21, 2016, an extremely large distributed denial-of-service (DDoS) attack on Dyn prevented many internet users on the East Coast of the U.S. from accessing websites such as Netflix, PayPal, Spotify and Twitter for several hours. Dyn provides domain name system (DNS) services to other businesses. DNS services resolve web addresses into IP addresses, … Continue Reading

Privacy and Security in the Voting Booth

Could the presidential election be hacked? With Election Day upon us, concerns about the security of the U.S. election system have reached a fever pitch. But how likely is it that a breach could affect the election? Could hackers really make cries of a “rigged” election come true? The U.S. government is definitely concerned about … Continue Reading

FCC Wades Back Into Data Privacy and Security for ISPs With Revised Privacy Proposal

Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available … Continue Reading

Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal … Continue Reading

Deeper Dive: State-Backed Attack Groups Target U.S. Businesses

In 31 percent of the data security incidents that BakerHostetler’s Privacy and Data Protection Practice Team helped clients address in 2015, attackers used phishing, hacking and malware to access client data. 2016 Data Security Incident Response Report, 3. Chinese state-supported attackers have long targeted the intellectual property of U.S. businesses. As we discussed in an … Continue Reading

Illinois Enacts Sweeping Changes to the Illinois Personal Information Protection Act

On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first … Continue Reading

What Companies Need to Know About Cyber Threat Information Sharing Under CISA

Cyber threat information sharing has the potential to provide numerous benefits for organizations (both public and private) faced with cyberattacks, which are increasing in frequency and sophistication. Cyber threat information sharing can enable organizations to enhance their cyber preparedness and defenses by leveraging the knowledge and experience of a broader community and improve their awareness … Continue Reading

Deeper Dive: Plan for Regulatory Scrutiny in Financial Services Data Security Incidents

Financial services industry companies were involved in 18% of the over 300 data security incidents we helped manage in 2015, and reported in our 2016 BakerHostetler Data Security Incident Response Report (the “Report”). After healthcare, the financial services industry was the second most affected industry according to the data we reported. It is not surprising … Continue Reading

Mobile Apps That Appeal to Children Face Increased Regulatory Scrutiny

In September 2015, the Online Interest-based Advertising Accountability Program (Accountability Program) of the Advertising Self-regulatory Council (ASRC) began enforcing the Digital Advertising Alliance (DAA) Guidelines for Mobile Advertising (Mobile Guidance) and now the inevitable has happened: the Accountability Program has issued three compliance decisions with mobile app publishers whose apps allegedly failed to comply with … Continue Reading

New Cop on the Block – FCC’s Proposed Data Privacy and Security Rulemaking for Broadband Internet Access Providers

In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet Order, applying Section 222 of the federal Communications Act to broadband Internet access services (BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service Providers (ISPs). In doing so, it declined requests by some advocacy … Continue Reading

Internet Service Providers Face New Regulatory Environment in the FCC’s Privacy and Security Proposal

On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) of privacy and security regulations for Internet service providers (ISPs). The NPRM, In The Matter of Protecting the Privacy of Customer of Broadband and Other Telecommunications Service, available here, is intended to apply privacy requirements of the federal Communications … Continue Reading

Deeper Dive: Human Error Is to Blame for Most Breaches

Each year, as companies implement the latest security technologies, attackers develop and launch new tactics, techniques, and procedures to circumvent those technologies. While investment in security defense and detection technologies is an essential component to building an effective defense-in-depth strategy, the reality is that most breaches can be traced back to human error. In our … Continue Reading

New Take on Old Phishing Scam Wreaking Havoc on HR Departments

From would-be Nigerian princes to foreign lottery officials, cybercriminals have been known to assume all sorts of false identities to carry out email phishing scams that trick unsuspecting consumers into clicking on fraudulent links or divulging personal information to strangers. We often see a spike in this type of activity around tax season, when fraudsters … Continue Reading

Legal Developments in Connected Car Arena Provide Glimpse of Privacy and Data Security Regulation in Internet of Things

With the holiday season in the rear view, automobiles equipped with the newest technology connecting carmakers with their vehicles, vehicles with the world around them, and drivers with the consumer marketplace – Connected Cars – have moved from the lots to driveways. Automakers are remaking their fleets to offer unprecedented choice and convenience to drivers. … Continue Reading

Encryption: The Battle Between Privacy and Counterterrorism

For privacy advocates, it is universally accepted that encryption is a very good thing. After all, encrypted data is deemed a safe harbor under HIPAA and state breach-notification laws, providing an “out” from potential fines and penalties when an encrypted device is lost that contains sensitive health or other personal information. In addition to encouraging … Continue Reading

The CFTC’s Proposed Standards Identify Cybersecurity Best Practices

The Commodity Futures Trading Commission (CFTC) offered several reasons for proposing five new cybersecurity testing requirements for the commodity trading platforms it regulates in its December 23, 2015, Notice of Proposed Rulemaking: More than half of the securities exchanges surveyed in 2013 reported that they had been the victim of cyberattacks. 80 Fed Reg. at … Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your … Continue Reading

EU’s Network and Information Security Directive: Regulating “operators of essential services” and “digital service providers”

The European Union continues to move forward with a proposed unified framework to strengthen network and information security systems across its member countries. On December 18, 2015, the Permanent Representatives Committee (Coreper) approved a provisional agreement reached on December 7, 2015, by the European Parliament and European Council on the Network and Information Security Directive … Continue Reading

Disregard CISA Chicken Littles: CISA Boosts U.S. Cyber Defense While Protecting Privacy

Yes: the Cyber Information Sharing Act of 2015 (CISA) was slipped into the must-pass Omnibus Spending Bill last week by House negotiators and became law on Friday. No: despite protestations from some quarters, the sky has not fallen on our personal privacy. Although critics decry CISA for providing the National Security Agency (NSA) with a … Continue Reading

What the FTC’s Settlement With Wyndham Means for Your Company

The recent settlement entered into between the Federal Trade Commission (FTC) Wyndham Hotels and Resorts and related companies (Wyndham) provides an important roadmap for companies seeking to avoid running afoul of the FTC’s regulation of data security. In particular, this settlement, as embodied in a Consent Order entered by the Court provides Wyndham Hotels and … Continue Reading

New York Department of Financial Services Sets Forth Extensive Cybersecurity Regulatory Framework Proposal

On November 9, 2015, the New York State Department of Financial Services (NYDFS) issued a letter to the members of the Financial and Banking Information Infrastructure Committee (FBIIC) detailing a new cybersecurity framework proposal for “covered entities,” or financial institutions regulated by NYDFS. The framework builds on data from NYDFS reports surveying cybersecurity programs from … Continue Reading
LexBlog