Cybersecurity & Data Privacy Insights

If you are not already thinking about cybersecurity for your company or firm, you should be. Regardless of your organization’s size or industry, cyber crime is probably the greatest threat to your bottom line today.

One of the most important things a company/firm can do is to regularly conduct an investigation to understand what its cybersecurity defense weaknesses and vulnerabilities may be. The results of such an investigation most likely will produce a lengthy list of potential problem areas that in an ideal world should all be promptly and exhaustively remedied. Many times, this remedial approach is not feasible as most companies have budgetary and other practical limitations that may require them to prioritize which vulnerabilities to address first, and the degree of remediation of each such vulnerability that can reasonably be undertaken at a given time.

Unfortunately, another problem with this scenario is that the company or firm will end up with a written report identifying all variety of cybersecurity weaknesses, and then a set of actions that address some — but not all — of those weaknesses. If, at a later date, the organization experiences a cyber breach incident, this written report is likely to become Exhibit A of any plaintiff action against the company over that breach. The report, after all, shows that the company or firm clearly knew about certain vulnerabilities and chose not to remedy several of them.

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine was recently interviewed by NJBIZ regarding the recent security lapse of a South Jersey physicians network which wiped out the password protection on a supposedly secure site.

Eric says, “A company that engages in thorough due diligence may be able to use that as a defense if it’s sued as a result of a third-party provider hack.”

“It’s important to deal with cybersecurity and other issues up front, especially when you’re dealing with a new vendor,” Levine said. “Consider the depth of access to your data that they need, too. If a firm is just providing you with paper products, they don’t need deep access to your data, so a cybersecurity audit may not be very important.

Published on:
Updated:

Robert Anderson, Co-Chair of Lindabury’s Cybersecurity & Data Privacy practice group was recently interviewed by ROI-NJ’s Tom Bergeron in regards to the European Union’s May 25th institution of the General Data Protection Regulation (GDPR). Bob feels GDPR will have a huge impact in Europe where there is a different view of privacy.  “In the EU, they have taken the position that privacy is a fundamental human right and we certainly have not taken that position in the U.S., especially in terms of digital information.”

To read ROI-NJ’s full online article click here.

Cybersecurity & Data Privacy practice group co-chair, Robert Anderson’s recent interview has been included in New Jersey Business Magazine’s recent cover story ” The Digital Landscape Evolves”.  Regarding employees who work remotely, who may now pose a risk to their companies Bob says, ” I think everybody, every company, realistically, withing the constraints of what they can reasonably do, should devote significant attention to these kinds of remote access liability issues.”  Bob will be among a panel of Cybersecurity professionals at NJBIA’s upcoming “The Internet of Things – Transforming Your Business” Summit on April 20th in Newark, NJ.

To read the full article click here.

Bob Anderson, co-chair of Lindabury’s Cybersecurity and Data Privacy practice group, was recently interviewed by Karen Talley of FierceCEO, a publication that is considered a must-read source for running a business. Bob reports to Ms. Talley that “there is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability” and that “most cyberbreaches are caused by employees, inadvertently.”

To read the full article online click here.

Eric Levine, Co-Chair of Lindabury’s Cybersecurity & Data Privacy practice group was recently interviewed regarding the constant threat of cyberattack facing companies today. Eric says, “No matter how big or small your business, cybersecurity affects you. Companies need to anticipate that they will be a victim at some point, if they are not already. There are two types of companies out there: those that have been breached and those that have but just don’t know it.”

To read the full interview click here.

Published on:
Updated:

Over the past several months, our firm’s Cybersecurity and Data Privacy Practice team has had ample opportunity to report on a number of high profile security and data breaches. It appears that trend is going to continue as another massive cyber-breach was just reported. This time, it was Uber that had its network breached, and that breach impacted 57 million users of the ride sharing service, as well as 600,000 Uber drivers. Although paling in comparison to other recent breaches like that of Equifax and Yahoo in terms of the quantity of individuals whose data was stolen, the Uber breach is equally important in developing your own awareness of how to respond to data breaches, Uber provides another example of what not to do when a data breach occurs. Uber’s mistakes are numerous and could have long-lasting consequences. Here are a few of those mistakes, followed with some advice on how to avoid them.

Mistake #1: Uber fails to notify victims of the breach: Uber reported that its network was compromised in late 2016, yet Uber did not alert victims of the breach until November 21, 2017. The scope of the breach is apparently international, with data protection agencies in the United Kingdom, Australia and the Philippines looking into possible violations of their respective countries’ privacy laws. In the United States alone, there are forty-eight different state laws governing security breach notifications, many of which require notice to be provided as soon as possible. Waiting almost a year before providing notice to individuals whose information is unlawfully accessed likely exposes Uber to liability in a multitude of states and countries in which Uber can expect to be, and has already been sued. As of November 23, 2017, at least two class action lawsuits have been filed in California claiming that Uber “failed to implement and maintain a responsible security procedures and practices appropriate to the nature and scope of the information compromised in its data breach”. Attorneys General from Illinois, New York, Connecticut and Massachusetts have been reported as opening investigations and it is a practical certainty that dozens of their colleagues will soon follow their lead.

Mistake #2: Uber fails to notify governmental authorities of the breach: To make matters worse, in addition to not notifying individual victims of the data breach, Uber did not provide timely notice to governmental agencies until recently. In doing, Uber has potentially exposed itself to regulatory penalties, including fines and potential lawsuits, as well as likely having to appear at state and federal level inquiries, either voluntarily or through the use of subpoenas. Unfortunately for Uber, its explanation as to why it failed to notify the proper authorities is going to be aired to the public, likely in real time.

Published on:
Updated:

Lindabury partner, Robert Anderson, shares his insight in NJBIZ’s recent article:  “The inside scoop on M&As: Plenty of big companies have learned the hard way how difficult mergers can be”

Sometimes, a planned M&A can get torpedoed because of decisions that were made long ago, notes Robert W. Anderson.  So a potential seller may wish to review its books and records long before putting up a “For Sale” sign.

One suggestion: do some housecleaning, and scour around for any loose ends. That’s because for a buyer, a “big part of an M&A involves due diligence; understanding what they’re buying and how the target company fits in with the acquirer’s business operations and goals,” says Anderson. “If they see a lot of issues, like unsigned contracts, or potential tax and other liabilities, they may back away from the deal.”

By now, everyone has likely been inundated with information about the Equifax data breach.  If you are one of the few who has not heard about what happened, here’s the short version: Equifax suffered an enormous security breach as a result of its poor data privacy hygiene resulting in over 143 million people having their credit information, including their social security numbers, names and addresses, potentially exposed. The impact will be felt for a long time and the consequences if you are affected could be significant.

So what exactly did Equifax do wrong? To be blunt, EVERTYTHING. First, according to industry experts, Equifax failed to install a readily available security update that left it vulnerable to hackers. Second, the lack of security updating was compounded by the fact that Equifax’s administrative passwords were simplistic, certainly for a company that’s primary purpose is to store sensitive information, and was easily decipherable by the cyber-intruder.  Third and what makes matters worse is that the security update was available to Equifax two months before the breach. Fourth, in addition to the lax cyber-hygiene of Equifax was the fact that Equifax waited for months after it knew of the breach before reporting it to the public.  Fifth, when Equifax finally reported the breach, the message it sent was a weak one that left the public feeling exposed and betrayed, especially when it turned out the certain Equifax executives sold large quantities of company stock after the breach was discovered but before it was reported.  It is hard to envision any worse corporate conduct both leading up to the breach and continuing until today.

In the aftermath of such an historic cyber-breach, what lessons can companies and individuals learn and what steps are to be taken to mitigate the damage? On the corporate level, companies need to take cybersecurity and data privacy seriously, invest adequate resources to addressing the issue and partner with professionals versed in all aspects of today’s cybersecurity environment, including legal counsel, technical/forensics experts and insurance professionals. Develop and implement prudent Information Technology practices that include continuous system maintenance, updating/patching of software, mapping, segregating and encrypting data as well as actively being vigilant for intrusions or data loss.  Prepare a plan for how to respond to breaches or data losses. Perform vulnerability assessments under the guidance of counsel, to determine where you need to shore up your defenses while maintaining the confidentiality of the assessment results through attorney-client privilege.  Obtain insurance policies to blunt the impact of data breaches and to obtain resources to assist with specific breaches like ransomware/malware.

Published on:
Updated:

By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.

Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.

First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.

Published on:
Updated:
Contact Information