Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

Great news! Cyberinsurance for Spearphishing (BEC) now available from Grandpoint Bank

Posted in Cyber, eCommerce

Reuters reported that “Grandpoint said the coverage includes losses from wire-transfer scams including business email compromise [BEC]. In business email compromise schemes, fraudsters pose as executives or vendors from a business, sending requests for money transfers to accounts controlled by criminals.”  Grandpoint operates in Southern California, Arizona and Southern Washington and Reuters reported that:

Grandpoint said the policy, which is underwritten by Hiscox Inc, a unit of Hiscox Ltd, costs $30 to $70 per month for up to $1 million in coverage.

Reuters also pointed out that:

The approach is similar to mobile phone carriers offering customers insurance for lost or stolen phones, which is also available directly through insurers.

Let’s watch to see if other banks now start offering Cyberinsurance.

Cybersecurity strategies for CISOs includes clear communications in plain English, not technical jargon!

Posted in Cyber, eCommerce

Forrester’s Report includes this observation for CISOs [Chief Information Security Officers] that creating “and maintaining a security strategy is fundamental for CISO success” but “…business colleagues need to be able to understand your strategy. If you cannot communicate it in a clear and concise manner, then all of your work will have been in vain.”  Forrester’s April 25, 2016 whitepaper published by Armor was entitled “Six Steps To A Better Security Strategy” and includes this comment about Step No. 1: Become A Credible Stakeholder:

As a security leader, your job is far more than just ensuing compliance; you have to be an expert, a collaborator, a consultant, and a decision-maker. For business executives to take your security strategy seriously, they must first see you as a capable executive. This requires some work:

Understand your organization. To be credible, you have to demonstrate that you understand what your organization does, makes, or sells, along with how it’s doing financially. More importantly, you should get to know its customers and what they care about.

Know the personalities. It’s vitally important that you understand who the key stakeholders are in your company and what their responsibilities are; their specific goals and pet projects will drive security requirements.

Here are all 6 Steps:

Step No. 1: Become A Credible Stakeholder

Step No. 2: Connect With The Business

Step No. 3: Find The Gaps

Step No. 4: Identify Security Challenges

Step No. 5: Brainstorm New Opportunities

Step No. 6: Bring It All Together

Good advice to help CISOs!

NET NEUTRALITY: The Internet is a public utility ruling headed to the Supreme Court which doesn’t get the Internet!

Posted in eCommerce, Internet Access, Net Neutrality

“For the third time in seven years” the DC Circuit Court of Appeals was confronted with “net neutrality—the principle that broadband providers must treat all internet traffic the same regardless of source”  and the New York Times’ article about the June 14, 2016 ruling says it all – “Court Backs Rules Treating Internet as Utility, Not Luxury.”  The court’s opinion was 184 pages which included a 69 page dissenting opinion, and the New Times went to say of the Federal Communications Commission (FCC) Net Neutrality rules:

The decision affirmed the government’s view that broadband is as essential as the phone and power and should be available to all Americans, rather than a luxury that does not need close government supervision.

However my friend David McAtee II (AT&T Senior Executive Vice President & General Counsel) immediately said:

We have always expected this issue to be decided by the Supreme Court and we look forward to participating in that appeal,…

But given questions from the US Supreme Court about the Internet in the past there is no way to predict the outcome of Net Neutrality at this point.

WEBCAST: Cyber Risk for Clients and Lawyers

Posted in Cyber, eCommerce

I will moderate this important live TexasBarCLE webcast on June 21, 2016 with Thomas Petrowski (Chief Division Counsel from the Dallas Office of the Federal Bureau of Investigation), Edward Block (Chief Information Security Officer at the Texas Department of Information Resources), and Ken Orgeron (Chief Information Officer at Gardere Wynne Sewell LLP). Please register for the State of Texas webcast for the live broadcast. Here are the topics covered in the webcast:

  • Cyber Intrusions
  • Identify Theft
  • Cyber Stalking
  • Phishing
  • Spearphishing
  • Malware
  • Ransomware

And the ethical topics include:

  • When and how to report a cyber intrusion and to whom
  • Attorney-Client Privilege in the cloud
  • Use of outside counsel to protect work product

Please join Tom, Eddie, Ken, and me for the live broadcast on June 21st.

Experienced outside counsel should be part of your Incident Response Plan (IRP) for cyber intrusions!

Posted in Cyber, eCommerce, IT Industry

Darkreading recommended that an IR team should include “outside legal counsel that possess specialized experience in cybersecurity and data breach responses” and key stakeholders from all applicable areas of the organization, such as Legal, HR, Executive Management, PR/Communications, Information Technology”…as well as third party vendors.  The June 7, 2016 report entitled “How To Prepare For A Data Breach” quoted Rocco Grillo (head of Cyber Resilance at Stroz Friedberg) who described these five strategies:

  1. Have an IRP in place and test it regularly
  2. Know your organization’s “critical assets” and where they are
  3. Solidify your Dream Team of incident responders now
  4. Invest in the human component of security
  5. Train end users on best security practices

Sound advice to help when the cyber intrusion is detected!

Report of 50 cyber breaches since 2011 leads congress to investigate cybersecurity at the Federal Reserve!

Posted in Cyber, eCommerce, IT Industry

Following a report about cybersecurity breaches by Reuters the House Committee on Science, Space and Technology sent a letter to Fed Chair Janet Yellen that  these “reports raise serious concerns about the Federal Reserve’s cyber security posture, including its ability to prevent threats from compromising highly sensitive financial information housed on the agency’s systems.”  The June 3, 2016 letter from Chairman Lamar Smith (Texas) and Barry Loudermilk (Georgia, and chairman of the panel’s oversight subcommittee) requested the following 5 categories of documents no later than June 17, 2016:

  1. All cybersecurity incident reports created by NIRT (National Incident Response Team) and local cybersecurity teams.
  2. A detailed description of all confirmed cybersecurity incidents.
  3. All documents and communications referring or relating to higher impact cases.
  4. All documents and communications relating to NIRT’s policies and procedures for responding to cybersecurity incidents, including the incident guide.
  5. An organization chart for the Office of the Chief Information Officer (CIO), the Office of Chief Information Security Officer (CISO), and NIRT.

Given the role of the Fed in our financial system this congressional investigation is critical.

Bad news for P.F. Chang -Court rules that all claims for 2014 data breach are not covered under its cyberinsurance!

Posted in Cyber, eCommerce

Businessinsurance.com reported that a federal court ruled that P.F. Chang’s cyber policy covered “direct loss, legal liability, and consequential loss resulting from cyber security breaches” but “Chang’s and other merchants are unable to process credit card transactions themselves and must enter into agreements with third parties.”  My friend Judy Greenwald’s June 2, 2016 article entitled “Chubb scores victory in key cyber ruling” reported that:

On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the internet about 60,000 credit card numbers belonging to its customers, and the company notified Federal Insurance of the breach that same day.

US District Judge Stephen M. McNamee granted summary judgment to Federal Insurance Co (a unit of Chubb) on June 1, 2016 in the case of P.F. Chang’s China Bistro Inc. v. Federal Insurance Co. that after Bank of America requested reimbursement from P.F. Chang of $1.9 that:

(Bank of America) did not sustain a privacy Injury itself, and therefore cannot maintain a valid claim for injury against Chang’s.

Judy included this observation from policyholder attorney Robert D. Chesler (Anderson Kill P.C., Newark, New Jersey) that he:

…believes this is the first ruling on a cyber insurance policy, and is important because it could signal a wave of litigation between cyber insurers and policyholders

There may be an appeal so it may not be over yet!

Cyber security & cooperation improves with elimination of IT network silos!

Posted in Cyber, IT Industry

A recent IT network report indicated that “Top-tier organizations are also much less tolerant of silos – either in their tools or in their teams”  and “are four times as likely to invest in machine-readable threat intelligence.” The 2016 Network Protection Survey from Infoblox reported the “estimate the cost of a typical unplanned network outage now tops $740,000” so security planning is essential.  Here’s what the Report had to say about banishing silos:

They are nearly nine times as likely to use integrated visibility tools, four times as likely to use integrated security tools and fully 100 percent report moderate to complete cooperation and coordination between their network, security and app teams (versus less than half of the bottom-tier).

Often, these silos are not formed consciously. A network engineer for a large technology support company in the Southern U.S. commented, “IT shops are running so lean these days, even just knowledge transfer is prohibitive. Silos often form simply because we don’t have time to share.”

The Report offers these 5 lessons:

  1. Get Rid of Silos.
  2. Pay Attention to Operational Realities.
  3. Prioritize Based on Risk Analysis.
  4. Be Realistic about Security Staffing.
  5. Automate Routine Tasks.

Good advice that more IT leaders need to pass along to management!

GUEST BLOG: HIPAA Compliance Audits, Round 2 – Are You Ready to Rumble?

Posted in eCommerce, Internet Privacy

My Guest Blogger Eric Levy is a senior attorney in Gardere’s Trial Practice Group who specializes in complex litigation with a focus on technology and Internet eCommerce related issues.

Eric Levy Pic

Over the next few months, the Office for Civil Rights (OCR) will begin the second phase of its HIPAA audit program, as part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. This new phase focuses on reviewing the policies and procedures adopted and employed by covered entities and, for the first time, their Business Associates, to meet selected standards and implementation specifications for the Privacy, Security, and Breach Notification Rules.

The audit program actually commenced in April 2016, when OCR sent out between 500 and 1000 Audit Pre-Screening Questionnaires to designated company contacts. So on the plus side, if your organization did not receive one of these questionnaires, it is a pretty safe bet that you will not be audited by OCR this year (but check your SPAM e-mail filter – OCR has made it clear that “not getting your e-mail” will not excuse compliance, either with the requirement to fill out the questionnaire or the need to cooperate with any subsequent audit). If you did receive and complete a questionnaire, you could be getting a notice to produce documents soon!

The full audit protocol covers literally hundreds of standards and specifications, but generally speaking, OCR has confirmed the following areas of focus:

  • For covered entities being audited on privacy, OCR will look mostly at individual’s rights of access and notice of privacy practices;
  • For covered entities being audited on security, OCR will look mostly at risk analysis and management;
  • For covered entities being audited on breach notification, OCR will look at the timing and content of breach notification, and possibly any internal assessments that an actual impermissible use or disclosure of PHI was not a breach; and
  • For business associates, OCR will look at risk analysis and management and the timeliness and content of breach notifications to covered entities.

As for timing, once you receive a notice from OCR that you have been selected for a desk audit, you will have ten business days to produce whatever documents the agency has requested. While agencies, under normal circumstances, might be willing to grant an extension if you needed some more time, I would not bank on that here. Given the number of data breaches that have occurred in the healthcare industry (a recently released report indicates that roughly 90% of healthcare organizations have experienced at least one data breach in the past two years), OCR wants to evaluate compliance and it wants to do it quickly.

So don’t wait for the audit notice. Have all of your privacy compliance documents ready to go. If the request ends up being narrower than expected, it will be easier to cull out what you do not need.

Legal risk moved to 4th biggest cloud security concern!

Posted in IT Industry

A recent survey of 2,200 Information Security Community professionals indicated that concerns “about legal and regulatory compliance have seen the biggest gain, moving from the number 7 spot (24%) to number 4 (39%)” and that 49% believed that “one of the major barriers to cloud adoption is the fear of data loss and leakage.” The Cloud Security 2016 Spotlight Report survey was taken in March and April 2016 which included the result that 52% “believe that cloud apps are as secure or more secure than on-premises applications.”

Based on the Report Darkreading identified these “5 Reasons Enterprises Still Worry About Cloud Security”:

  1. Cloud computing has progressed so fast that it’s hard for the security industry to keep up
  2. IT still feels like they don’t have the proper tools to secure the cloud
  3. Storing and accessing data in the cloud could be a lawsuit waiting to happen
  4. Lack of visibility and the fear of letting go
  5. Security is still an afterthought, or not a thought at all

Cloud security will continue to be a topic legal issue, and probably move up from number 4.