New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Implementing a robust cybersecurity program is a business investment. Recently, numerous states have proposed a return on that investment in the form of statutory incentives for organizations that maintain certain technical safeguards. Incentive-based legislation can be used to convince management that investing in a cybersecurity program will create a return in the future.

For example, last year, Ohio proposed a bill that created a legal incentive for companies to create and implement a cybersecurity program. The proposed bill has now passed and will become effective November 2, 2018 (“Ohio Data Protection Act” or “Act”).

Under the Act, a company can raise an affirmative defense to data breach tort claims (such as negligence) brought under the laws or in the courts of Ohio if the company created, maintained and complied with a written cybersecurity program. To establish the defense, a company would have to show that its security program contained administrative, technical and physical safeguards designed to protect either “personal information” or “personal information and restricted information.” Continue reading New Ohio Law Creates Legal Incentive to Create Cybersecurity Program

Dissecting 2018’s Mid-Year Data Breach Statistics

After the first six months of 2018, 4.5 billion data records have already been compromised according to a recent report. Data breaches have affected businesses large and small, from Adidas (two million records compromised) to Facebook (up to two billion accounts affected) to municipal airports and accounting firms, and 2018 has already seen more than its fair share of massive global data breaches.

The Gemalto Report

Digital security specialist Gemalto revealed in a new report that 945 data breaches led to a staggering 4.5 billion data records being compromised worldwide in the first half of 2018.

Although the total number of breaches were down from the same period the year before, the number of records compromised were up over 130 percent as the severity of individual incidents increased. Continue reading Dissecting 2018’s Mid-Year Data Breach Statistics

California Becomes First State to Pass IoT Security Law

California continues to pass tighter laws in the cybersecurity world.

California Governor Jerry Brown recently signed into law bill No. 327 which requires connected device manufacturers to include “reasonable” security features for those devices sold in California. With passage of this new law, California becomes the first state in the nation to adopt such legislation.

What the Law Requires

Beginning on January 1, 2020, the law will require a manufacturer of a connected device to equip the device with reasonable security features that are “appropriate to the nature and function of the device” and appropriate to the type of information collected by the device. It also mandates that any maker of an Internet-connected, or “smart” device ensures the device has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Continue reading California Becomes First State to Pass IoT Security Law

Anthem Pays Record HIPAA Settlement After Largest U.S. Health Data Breach

In March 2015, Anthem filed a breach report with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) outlining what would become the largest healthcare breach ever. Investigators determined that hackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

To settle the potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule, Anthem recently paid the largest settlement to date – $16 million.

The $16 million settlement far exceeds the previous high of $5.55 million paid to OCR in 2016.

OCR’s investigation found that Anthem (1) failed to conduct an enterprise-wide risk analysis, (2) had insufficient procedures to regularly review information system activity, (3) failed to identify and respond to suspected or known security incidents, and (4) failed to implement adequate minimum access controls.

In addition to the money settlement, Anthem agreed to a corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found here.

Reduce Your Risk of a Costly Lost or Stolen Mobile Device

Mobile devices present unique security risks because their size and nature generally puts them at higher exposure to threats than stationary devices. Indeed, lost and stolen mobile devices remain a top cause of a data breach.

Here are some ways to reduce your risk of suffering damages resulting from a lost or stolen mobile device.

  • Create a company mobile device policy

Organizations should create a mobile device security policy that sets forth the rules of using company mobile devices and the penalties for non-compliance. The policy should include best practices on how to reduce mobile device risks including required employee training on how to properly and safely use mobile devices for business purposes.

  • Regularly install security patches and updates on all software including anti-virus software

Software vulnerabilities are discovered routinely and software patches and updates often include security fixes to those vulnerabilities. It’s best practice to install all updates immediately (update all devices immediately, not just mobile devices!). Continue reading Reduce Your Risk of a Costly Lost or Stolen Mobile Device

October is National Cybersecurity Awareness Month!

While cybersecurity awareness should be a focus of every month, October is the official National Cybersecurity Awareness Month (NCSAM), and the U.S. Department of Homeland Security (DHS) and its partners want to remind you about the importance of cybersecurity and individual cyber hygiene.

“Cybersecurity is our shared responsibility, and we all must work together to improve our Nation’s cybersecurity.”

Shared responsibility is the theme for NCSAM 2018, and the DHS is distributing a toolkit to make it easy for you and your organization, regardless of size or industry, to participate in NCSAM and promote solid cybersecurity practices.

Cybersecurity is bigger than one person, one department or one entity. For cybersecurity to be successful, every department, organization, industry, and country must participate.

After all, cybersecurity is only as strong as the weakest link! Continue reading October is National Cybersecurity Awareness Month!

Uber Settles Data Breach Investigation for $148 Million

On September 26th, Uber agreed to pay a record $148 million to settle allegations that the company intentionally concealed a major data breach in 2016.

The settlement ends a multistate investigation that found the ride-hailing company paid hackers $100,000 to conceal the breach, which exposed the names, email addresses, and cellphone numbers of 57 million users.

Uber failed to notify the 57 million individuals of the data breach and only provided public notice of the breach a year after it happened in late 2016.

Uber’s Response

Uber said in a November 2017 statement from CEO Dara Khosrowshahi that the breach was carried out by two hackers outside the company. The hackers accessed user data on a third-party, cloud-based service the company uses to store information. The hackers, however, were not able to download users’ Social Security numbers, bank account information, credit card numbers, dates of birth, and trip history, according to the company. Continue reading Uber Settles Data Breach Investigation for $148 Million

Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

Airline travelers at Bristol Airport, the UK’s ninth largest airport which handles more than 8 million passengers a year, were forced to read departure times off old-fashioned whiteboards due to technical issues caused by a recent cyber-attack.

Airport officials confirmed the airport was subject to an opportunistic ransomware attack, a type of malicious software which encrypts (“kidnaps”) user data unless a ransom is paid.

The Ransomware Attack

Ransomware (also called cyber extortion) is a type of malware (i.e. malicious software) designed to hijack your computer by locking your important files and forcing you to pay a ransom to unlock the files.  Cyber criminals infect your computer with ransomware by tricking you into clicking on a malicious email attachment that downloads the ransomware or by visiting a ransomware-carrying website.

Furthermore, a growing number of attacks have used remote desktop protocol and other approaches that don’t rely on any form of user interaction to cause the ransomware infection. Continue reading Bristol Airport Cyber Attack Leaves Passengers and Airport Staff Scrambling

OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

As Hurricane Florence approaches the North Carolina coastline, OCR has released guidance to ensure that medical information is shared appropriately during the hurricane.

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule.

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a notice of privacy practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Continue reading OCR Issues Guidance for Sharing Medical Information During Hurricane Florence

NYDFS Cybersecurity Regulation Enters New Transitional Phase

Beginning on September 4, 2018, banks, insurance companies, and other financial services institutions regulated by NYDFS are required to comply with several additional requirements of the NYDFS cybersecurity regulation.

After September 4th, companies will be required to:

  • report annually to the board concerning critical aspects of the cybersecurity program;
  • have an audit trail that reconstructs material financial transactions to support normal operations in the event of a breach;
  • implement policies and procedures to ensure the use of secure development practices for in-house developed applications;
  • implement encryption to protect nonpublic information;
  • develop policies and procedures to ensure secure disposal of information not necessary for business operations; and
  • implement a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or nonpublic information.

Continue reading NYDFS Cybersecurity Regulation Enters New Transitional Phase