Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Cyber and National Security

Subscribe to Cyber and National Security RSS Feed

General Counsel, Is Your Website Vulnerable?

Posted in Cyber and National Security, Technology, Workplace Privacy

A report just released by security startup, Menlo Security, found that one-third of the top one million websites have already been compromised with malware or are running outdated or unpatched software that is vulnerable.

The problem is two-fold:

1. Does your website contain vulnerabilities?
As the report notes, these website vulnerabilities are easily detectable by hackers. In fact, information about the software running on your website (e.g., web servers, content management systems, application frameworks) is readable by any standard browser and can easily be cross-referenced against publically available lists of known vulnerabilities. If you website software is out of date, you are a potential target.

What can you do? Your technical and security teams should have formal processes for scanning your website for new vulnerabilities and making sure that all website software is promptly patched and updated. Simply running the most current version of the software can help eliminate many of the known threats.

If you find that your website has been compromised, have a prepared incident response plan that has been tested so that you can react quickly. Companies that are able to identify and response to security incidents in a quick and comprehensive manner are usually ... Continue Reading

GAO Puts Cybersecurity and Privacy High Atop High Risk List

Posted in Cyber and National Security

Agency Assessment Comes as President Signs Executive Order Increasing Cyber Sharing with the Private Sector

Late last year, this post speculated whether 2015 would become “the Year of Cybersecurity.” Though 2015 is still young, it certainly feels like the prediction was accurate given the continued attention that cybersecurity is receiving from the White House, Congress, and federal agencies like the Government Accountability Office (“GAO”). The GAO recently issued a new report ranking threats related to cybersecurity and privacy among the high risk areas for the federal government and the nation’s critical infrastructure.

On February 11, the GAO published its High Risk List, a biennial report released at the start of each new Congress in which the GAO details the program areas, government practices and particular federal agencies that are at high risk due to their susceptibility to fraud, waste, abuse or mismanagement.

The cybersecurity of both the federal government and critical private infrastructure has been on the GAO’s High Risk List since 2003, but the GAO expanded the designation for the first time this year to include the privacy of personally identifiable information (“PII”) held by the government and private sector. Privacy’s addition to the High Risk List was ... Continue Reading

White House Big Data Working Group Claims “Significant Progress” On Executive Branch Privacy Initiatives, But Blames Congress and Big Data Stakeholders for Delaying Important Privacy Legislation and Voluntary Actions

Posted in Cyber and National Security, Policy and Regulatory Positioning

On February 5 the White House big data and privacy working group released an “Interim Progress Report” (hereinafter “the Interim Report”) summarizing its “progress in furthering the majority of the recommendations made” in its May’s 2014 report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “the Big Data Report”), discussed here.

The Big Data Report followed President Obama’s call “to explore how [big data is] changing our economy, our government, and our society,” and its “implications on personal privacy.”   While much of The Big Data Report emphasized the societal benefits of big data (e.g., improving the economy, education, health and energy efficiency), the working group found that “absent strong social norms and a responsive policy and legal framework,” personal privacy may be difficult to protect with technological advances alone.   To that end, the Big Data Report recommended 6 policy initiatives “deserving prompt action:”

  • Advance the Consumer Privacy Bill of Rights (“CPBR”), a framework that the White House first proposed in 2012 to give consumers greater control over the collection and use of their personal information by businesses and other organizations;
  • Pass National Data Breach Legislation, to provide a single national data breach standard;
  • Ensure Data Collected
... Continue Reading

Farewell, Federal Cybersecurity Incentives?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Administration Takes Private Sector Incentives Off the Table, While Obama Calls for $14 Billion in FY 2016 Budget to Strengthen Government’s Cybersecurity Efforts

The White House’s Cybersecurity Coordinator Michael Daniel announced on Monday that the government will not offer incentives for private sector businesses to adopt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Instead, Mr. Daniel declared that the free hand of the market is the best means to encourage the private sector to adopt NIST’s voluntary cybersecurity measures to better guard against cyber risks. Mr. Daniel’s announcement came in response to suggestions made by the departments of Commerce, Treasury, and Homeland Security in 2013 on how to incentivize private companies to adopt the NIST Framework. While Mr. Daniel did give mention to some of these methods, he plainly stated that “we [in the Administration] believe that the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices” and that “developing a government program to award a ‘seal of approval’ would likely reduce the flexible use of the Framework.”

Curiously, Mr. Daniel’s announcement came the same day that the White House also released President Barack Obama’s proposed Fiscal Year 2016 Budget... Continue Reading

World Economic Forum Releases Framework to Quantify Cyber Threats

Posted in Cyber and National Security

In conjunction with its annual meeting this week, the World Economic Forum released a report on its current efforts to develop a common framework to model and quantify the impact and risk of cyber threats.  The report highlights that “even well-guarded [organizations] face the threat of a cyberattack.”

The report embraces the value-at-risk mathematical function that is widely used by the financial services sector to measure risk in a particular portfolio over a period of time.  The value-at-risk function can be used to express the probability that a cyber event will exceed a threshold financial loss over time (e.g., a successful cyberattack will not cause the company to lose more than X dollars with a 95% accuracy).

The report identifies three value-at-risk components:

  1. Vulnerabilities: the vulnerabilities within an organizations and the mitigating controls that are in place;
  2. Assets: tangible and intangible assets that are under threat; and
  3. Profile of attacker: the type, tactics and motivation of your attackers.

The impact of these variables will vary by industry and based on the maturity of an organization’s security program.  Importantly, the report recognizes that there are number of significant limitations that inhibit organizations from quantifying their cyber risks using this ... Continue Reading

Cybersecurity: The Human Factor

Posted in Cyber and National Security

Financial institutions are under a constant and growing cyber assault from hacktivists that want to cause online mischief, criminals that want to steal consumer data and nation-states that are looking for a military, political or economic advantage. In this increasingly costly war, the focus is often on the latest hardware, software and analytics to fortify the defenses. While technical security controls are an essential weapon in the arsenal, organizations should re-double their attention on the weakest link in their security suit of armor—their people. In the Nov/Dec 2014 issue of the FinTech Law Report, DWT payments team members Chris Avery and Gwen Fanger explore the human side of cyber defenses, including both a look at the inadvertent human errors and administrative failures that have contributed to some of the most significant cyber events and how administrative controls are weaved into the recently released Cybersecurity Framework. They also offer some practical advice on how to improve the security posture of financial organizations with an increased focus on the “human element” and its role in cybersecurity.

To read the article, click here.... Continue Reading

Advisory Alert: A Corporate Counsel’s Guide to Cyber Insurance

Posted in Cyber and National Security, Data Protection

On an almost daily basis, you are reminded of why you should worry about the security of your company’s data and information systems. Whether it be from headlines in hard copy, broadcast, or online media, your senses have been slammed with one sensational story after another about increasingly massive data breaches. You may have even read about malware that continues to morph once it tunnels into a system, allowing it to evade detective software. You have seen serious economic and reputational damage done to businesses because cyber thugs launched an attack against their digital infrastructure. You have also seen class actions filed by consumers, derivative actions filed by investors, and enforcement actions taken by regulatory agencies.

Continue reading here.... Continue Reading

Congress Funds Cybersecurity: Spending Bill Allocates over $1 Billion to Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

The final spending bill of the 113th Congress, which keeps the government doors open until September 30th of 2015, was passed by the House on December 11th, the Senate on the 13th, and signed by the President on December 16th. It is a $1.1 trillion omnibus spending bill that will direct well over $1 billion toward cybersecurity. Among other things, it will provide $675,500,000 for the National Institute of Standards and Technology (NIST) scientific and technical core programs, which includes $15,000,000 for the National Cybersecurity Center of Excellence, up to $60,700,000 for cybersecurity research and development, $4,000,000 for the National Initiative for Cybersecurity Education, and $16,500,000 for the National Strategy for Trusted Identities in Cyberspace. It also allocates funds to various other federal agencies specifically for cybersecurity, as well as to federal investigative agencies to combat cybercrime. Some of the funds are directed toward developing a more robust cybersecurity workforce, including $35 million to the General Services Administration (GSA) for construction of a “civilian cyber campus” that would house federal employees and contractors dedicated to the civilian cyber security mission. According to a GSA prospectus on the project, the goals of the ... Continue Reading

Congress Confirms NIST’s Role in Cybersecurity – and the Continuation of the Cybersecurity Framework

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Cybersecurity Enhancement Act of 2014 (CEA) was passed by the House and the Senate on December 11th, and signed by the President on the 18th. The bill formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy.

Title I of the CEA, entitled “Public-Private Collaboration on Cybersecurity,” amends the NIST Act to permit the Secretary of Commerce, through the Director of NIST, to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure – this would be the Cybersecurity Framework. It requires the Director of NIST to coordinate continuously with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations.  It also requires the Director of NIST to consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments ... Continue Reading

Congress Passes Cybersecurity Workforce Legislation

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Border Patrol Agent Pay Reform Act of 2014 was passed by the Senate on September 18th, by the House on December 10th, and signed by the President on December 18th. It contains provisions from the Cybersecurity Workforce Recruitment and Retention Act of 2014, which allows the Secretary of the Department of Homeland Security (DHS) to establish cybersecurity positions within DHS to better meet its cybersecurity mission. Another piece of legislation, the Cybersecurity Workforce Assessment Act (CWAA), was passed by the Senate on December 10th, by the House on December 11th, and was also signed by the President on December 18th. It requires DHS to evaluate and enhance its cybersecurity workforce. It requires the Secretary of DHS, within 180 days of the enactment of the CWAA and then annually for the next three years, to assess the cybersecurity workforce of DHS. Among other things, the assessment is to include an evaluation of the readiness and capacity of the DHS workforce to meet its cybersecurity mission.

Comprehensive workforce strategy: The CWAA requires the Secretary of DHS, within one year of its enactment, to develop a comprehensive workforce strategy ... Continue Reading

Congress Passes The Federal Information Security Modernization Act of 2014: Bringing Federal Agency Information Security into the New Millennium

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Federal Information Security Modernization Act of 2014 (FISMA) was passed by the Senate on December 8th, by the House on December 10th, and by the President on December 18th. It is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. It also acknowledges that commercially developed information security products offer effective information security solutions, and that specific information security solutions should be left to individual agencies from among commercially developed products.

FISMA oversight: FISMA reestablishes the oversight authority of the Director of Office of Management and Budget (OMB) with respect to federal agency information security policies and practices. This includes the development and implementation of principles, standards and guidelines pertaining to information security within federal agencies, and coordinating the development of ... Continue Reading

Congress Passes the National Cybersecurity Protection Act: Codifies National Cybersecurity Center & Creates Federal Agency Data Breach Notification Law

Posted in Cyber and National Security, Policy and Regulatory Positioning

The National Cybersecurity Protection Act of 2014 (NCPA) was passed by the House on December 8th, by the Senate on December 10th, and signed by the President on December 18th. Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D-Del.) issued the following statement regarding the NCPA: “Cybersecurity is one of the biggest national security challenges our country faces. Our laws should reflect that reality. By codifying the Department of Homeland Security’s existing cybersecurity operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cybersecurity while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities. It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur.”

Codification of the National Cybersecurity and Communications Integrity Center: The NCPA codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC). The bill directs the NCCIC to provide a number of services, ... Continue Reading

Cybersecurity Legislation Focuses on Federal Government Initiatives – Leaves Private Sector Reforms for 2015

Posted in Cyber and National Security, Policy and Regulatory Positioning

One of the few things the parties in Congress can agree upon these days is cybersecurity – at least when it comes to directing the federal government’s cyber activities.  In its final days, the 113th Congress reached agreement on several major pieces of legislation intended to improve the nation’s cybersecurity: the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Border Patrol Agent Pay Reform Act of 2014 (a bill that contains provisions from the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014), the Cybersecurity Workforce Assessment Act, and the Cybersecurity Enhancement Act of 2014. All of these were signed by the President on December 18th, and will be funded by a $1.1 trillion spending package signed by him on December 16th. In total, the bills update the federal government’s roles and responsibilities with respect to planning for and responding to cyber threats, helping them move into the 21st century with a trained workforce.  What is notably absent in this nicely wrapped package of bills, however, is any meaningful reforms for the private sector.

Subsequent posts will provide details ... Continue Reading

Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Results: Boards of Directors and Senior Management Need to Engage

Posted in Cyber and National Security

The Federal Financial Institutions Examination Council (FFIEC) released general observations yesterday from a cybersecurity assessment of over 500 community financial institutions. The cybersecurity assessment evaluated the institutions’ preparedness to mitigate cyber risks. It ultimately found that due to the critical dependence of financial institutions on information technology to conduct business operations, combined with increasing sector interconnectedness and the rapidly evolving cyber threats, it is more important than ever before that boards of directors and senior management be engaged in managing cybersecurity risk.

The cybersecurity assessment was piloted during the summer of 2014 by FFIEC membership which consists of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance.

The cybersecurity assessment found that the level of cybersecurity inherent risk varies significantly across financial institutions. Due to the varied risks, the FFIEC stated that it was important for financial institution management to understand their inherent risk to cybersecurity threats and vulnerabilities. ... Continue Reading

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Cyber and National Security, Data Protection, Financial Services, Marketing and Consumer Privacy

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere. … For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure ... Continue Reading

“…Because That’s Where the Money Is.” OCC Head Highlights Oversight of Cybersecurity for Financial Industry—Will All Vendors Cooperate?

Posted in Cyber and National Security

Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather scofflaws, “hacktivists,” terrorists and foreign regimes exploiting vulnerabilities in the financial industry’s cybersecurity and striking from within.

Over the last few months, Mr. Curry has taken to the speaking circuit, venturing from the Consumer Electronics Show (CES) Government Conference last April to the New England Council in May to raise the question of how vulnerable the nation’s financial sector is to cyber-attack. Mr. Curry noted that while consumers are rightfully concerned about the security of the financial tools they use on a daily basis—from credit card readers at the mall to Internet bill pay and online banking—many do not consider “what goes on behind the scenes” to process these transactions. “Yet the impact of a cyber-attack on those systems could be even more disruptive than a data leak at a large retail store,” Mr. Curry told the CES. “It’s one thing to worry about ... Continue Reading

Department of Energy Invites Cybersecurity Comments

Posted in Cyber and National Security, Energy

In a Federal Register notice to be officially published Friday, June 20, 2014, the Department of Energy (DOE) is inviting public participation in its efforts to develop a guidance document entitled “Energy Sector Framework Implementation Guidance.” The term “Framework” references the Framework for Improving Critical Infrastructure Cybersecurity which was released by the National Institute of Standards and Technology (NIST) on February 12, 2014. In a prepublication notice, the DOE announced that “[t]he document is being designed to help energy sector stakeholders develop or align existing cybersecurity risk management programs with the Cybersecurity Framework. The document will also take in to consideration energy sector organizations that may have business activities across multiple critical infrastructure sectors, e.g., Dams, Transportation, Chemicals, etc. requiring a harmonized implementation approach with these other sectors.” The notice stated that bi-weekly conference calls will “provide periodic opportunities for participants to comment on the incremental updates to the Draft Framework Implementation Guidance document.”... Continue Reading

Managing Risk in an Inhospitable Environment: The Restaurant and Hospitality Industries are an Alluring Destination for Cyber Thieves

Posted in Cyber and National Security, Data Protection, Retail/Hospitality

The recent onslaught of cybersecurity incidents and payment card thefts dominate daily headlines and have captured the nation’s attention—from the diner whose credit card was compromised during a data breach to the President of the United States who recently advocated passage of national data breach legislation: everyone has a stake in this issue. Beyond the headlines, however, the hospitality and restaurant industries are under constant attack by cyber thieves attempting to breach point of sale (PoS) servers and any other crack in their digital infrastructure. And while the data breaches reported by Target, Michaels and Neiman Marcus dominated the headlines, cyber thieves focused much of their attention on food, beverage and hospitality providers. The quick take away is that where data can be obtained and monetized, it will be stolen and the restaurant and hospitality industries are an alluring destination for cyber thieves.

The PoS Problem
In 2012, credit card and debit card fraud resulted in losses of $11.27 billion. While the total cyber theft losses for 2013 are not yet known, over 342 million identities were compromised in 2013. It appears that the most common cyberattack, and perhaps the most devastating economically and reputationally, involves the compromise of PoS ... Continue Reading

Government Officials Continue to Reference NIST Framework

Posted in Communications/Media, Cyber and National Security, Data Protection

On Thursday, June 12, 2014, while delivering remarks on cybersecurity at the American Enterprise Institute in Washington, D.C., Federal Communications Commission Chairman Tom Wheeler challenged businesses to be more proactive in addressing increasingly prevalent threats to their cybersecurity, urging them to embrace a “new paradigm” in which the private sector takes the lead and regulators step in to address shortcomings. In doing so, he urged businesses to use the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Wheeler’s comments followed similar comments two days earlier by U.S. Securities and Exchange Commissioner Luis Aguilar. As mentioned in our previous advisory, during a “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on June 10, 2014, Commissioner Aguilar noted that while the NIST Framework provides voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to cybersecurity issues or for insurance purposes.... Continue Reading

SEC Commissioner Calls on Corporate Boards to Address Cybersecurity—Refers to NIST Cyber Framework as “the Bible”

Posted in Communications/Media, Cyber and National Security, Data Protection

While attending the “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on Tuesday, June 10, 2014, U.S. Securities and Exchange Commissioner Luis Aguilar called on corporate boards to make sure they are taking the necessary steps to address and oversee their companies’ cybersecurity risks. In a prepared statement, he said that ensuring the adequacy of a firm’s cybersecurity measures “needs to be a critical part of a board of directors’ risk oversight responsibilities.” He said that “(e)ffective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”

CONTINUE READING …... Continue Reading

United States Charges China with Cyber-Espionage in Unprecedented Indictment

Posted in Cyber and National Security, Global
This morning, the U.S. Department of Justice (DOJ) announced that a grand jury in the Western District of Pennsylvania has indicted five Chinese military officials on charges of computer hacking, economic espionage, and related offenses. The indictment marks the first time that the DOJ has filed charges against a state actor for cyber-theft and cyber-espionage crimes.

The indictment alleges that, between 2006 and 2014, the five individuals, while working for the Chinese People’s Liberation Army, hacked or attempted to hack into six U.S. companies in the nuclear power, solar, and metals industries to steal sensitive, non-public business information and trade secrets. The indictment alleges that the defendants stole this information to obtain economic advantages for Chinese state-owned enterprises (SOE) and other state interests. A summary of the specific allegations may be read in the DOJ’s press release about the indictment. The allegations of criminal conduct range from the defendants stealing proprietary information from Westinghouse Electric Co. about the design of its powers plants while it was in negotiations with an SOE for the construction of plants in China, to the theft of emails from the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union ... Continue Reading

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading