Category: cybersecurity

UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016.

Acording to recent press releases, CareCERT will:

  • “Provide incident response expertise for the management of cyber security incidents and threats across health and care system”;

  • “Broadcast potential cyber threats and necessary actions to take across the sector, to ensure cyber threats are safely dealt with”;

  • “Be a central source of security intelligence for health and care by working with cross government monitoring partners such as GovCertUK and CERT-UK”;

  • “Support the analysis of emerging and future threats through unique analysis tools and reporting”; and

  • “Be a trusted source of security best practice and guidance”.

CareCERT will be run by the Health and Social Care Information Centre (HSCIC).  The HSCIC is an important offshoot of the UK Department of Health, overseeing information assurance and patient privacy within the NHS as part of its broader role in setting health IT standards, assisting IT rollout throughout the NHS, and managing the release of healthcare statistics for the NHS.

CareCERT is expected to be a natural evolution of HSCIC’s existing function and expertise.  In particular, under the HSCIC/Department of Health’s data breach reporting policy (imposed on NHS bodies and their suppliers through contract), HSCIC is already one of the bodies notified and involved in the event of serious data breaches in the public healthcare sector.  The creation of CareCERT will enhance the HSCIC’s incident response capabilities, and will give NHS suppliers an increased opportunity to engage with HSCIC proactively (for guidance and threat alerts), rather than only after serious incidents take place.

Article by Mark Young & Philippe Bradley-Schmieg of Covington & Burling

© 2015 Covington & Burling LLP

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and expanding the information that is subject to safeguarding and can trigger the reporting requirements.  Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP

© 2015 Covington & Burling LLP

Register for the Thomson Reuters Legal Executive Institute 5th Annual Law Firm CFO/CIO/COO Forum – NYC June 3

The 5th Annual Law Firm CFO/CIO/COO Forum
Data Privacy, Security & the Globalized Law Firm

Early Bird Rate Ends 5-14!

LawFirmCFO-CIO-COO-banner

Register Now

The Thomson Reuters Legal Executive Institute proudly presents the 5th Annual Law Firm CFO/CIO/COO Forum on June 3, 2015 in New York City at the Crowne Plaza Times Square Manhattan.

Our program will address the twin specters of data privacy and cyber security and their impact on US and international law firms in 2015. Delegates will hear from non-legal industry CISOs and world-renowned cyber security experts on emerging threats and innovative strategies affecting modern day law firm operations. Come prepared with questions and ideas as you engage both thought leaders and peers throughout a series of collaborative discussions.

This year’s program highlights include:

  • Enemies at the Gate: Responses to Data Security Threats Across Industries
  • Red Corner: The Rise of Corporate Espionage & the Problem with China
  • From Russia with Love: APT28 and the Soviet Spector
  • Preparing for a Client Security Audit: A Peer-to-Peer Workshop
  • A Briefing on Data Security Concerns in the Cloud and Tablet Technology
  • And more

Special Offers

Early Bird Discount: Save 15% when you enter CFO15 at checkout for individual registrations.  Expires 05.14.15

Group Discounts: Save 30% on when you register 2 or more delegates, please call 1-800-308-1700

Why You Should Attend

  • This is the only professional conference in existencedevoted to the unique cyber security concerns of law firms.
  • Stay Informed about the current threats to enterprise security at your firm from our elite faculty of thought leaders.
  • Network across industries as we welcome Chief Information Security Officers (CISOs) from numerous sectors to the Forum.
  • Gain Practical Takeaways for adoption at your firm or organization and build powerful connections with the premier thought leaders in the profession.
  • Be prepared to handle any future incidents at the completion of the Forum.
  • Did you know? Many law firm CIOs and security analysts believe that mobile technology and tablet technology will be the primary target of attacks in 2015. Our forum dispenses crucial advice on how to avoid falling prey to such forces.
  • Did you know? Many analysts believe international law firms will easily double their operation and insurance costs in 2015 as a result of increased data security attacks on US and Western businesses. Are you well-versed in the latest threats from Asia, Russia and beyond?
  • Did you know? The 2015 federal regulatory, legislative and enforcement landscape will force many organizations to thoroughly assess their current security infrastructure and comply with myriad new quality controls. Have you done your proper due diligence?

The Data Security and Breach Notification Act of 2015

Jackson Lewis P.C.

On March 25, 2015, the United States House of Representative, Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade approved draft legislation which would replace state data breach notification laws with a national standard.  This draft legislation comes on the heels of the President’s call for a national data breach notification law.  The proposed legislation is identified as the “Data Security and Breach Notification Act of 2015.”

The overview of the draft provides that “Data breaches are a growing problem as e-commerce evolves and Americans spend more of their time and conduct more of their activities online. Technology has empowered consumers to purchase goods and services on demand, but it has also empowered criminals to target businesses and steal a host of personal data. This costs consumers tens of billions of dollars each year, imposes all kinds of hassles, and can have a lasting impact on their credit.”  Like many existing state laws, the proposal would require companies to secure the personal data they collect and maintain about consumers and to provide notice to individuals in the event of a breach of security involving personal information.

The draft legislation contains several key provisions:

  • Companies would be required to implement and maintain reasonable security measures and practices to protect and secure personal information;

  • The definition of personal information is more expansive than most state breach notification laws, including home address, telephone number, mother’s maiden name, and date of birth as data elements;

  • Companies are not required to provide notice if there is no reasonable risk of identity theft, economic loss, economic harm, or financial harm;

  • Companies would be required to provide notice to affected individuals within 30 days after discovery of a breach;

  • The law would preempt all state data breach notification laws;

  • Enforcement would be by the Federal Trade Commission (FTC) or state attorneys general; and

  • No private right of action would be permitted.

The measure must now be formally introduced in the House of Representatives before further action can be taken.  Notably, similar measures introduced in the past in an effort to nationalize data breach response have all failed.  However, given the number of individuals affected by, or likely to be affected by, a data breach and the fact identity theft has topped the FTC’s ranking of consumer complaints for the 15th consecutive year, support for a national data breach notification law has never been stronger.

ARTICLE BY

Jason C. Gavejian
Jackson Lewis P.C.
Workplace Privacy Blog

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Foley and Lardner LLP

Major cybersecurity attacks of increased sophistication — and calculated to maximize the reputational and financial damage caused to the corporate targets — are now commonplace. These attacks have catapulted cybersecurity to a top priority for senior executives and board members.

To help these decision makers get their arms around cybersecurity issues, Foley Partners Chanley T. Howell, Michael R. Overly, and James R. Kalyvas have published a comprehensive white paper entitled: Taking Control of Cybersecurity — A Practical Guide for Officers and Directors.

The white paper describes very practical steps that officers and directors should ensure are in place or will be in place in their organizations to prevent or respond to data security attacks, and to mitigate the resulting legal and reputational risks from a cyber-attack. The authors provide a blueprint for managing information security and complying with the evolving standard of care. Checklists for each key element of cybersecurity compliance and a successful risk management program are included.

Excerpt From Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Sony, Target, Westinghouse, Home Depot, U.S. Steel, Neiman Marcus, and the National Security Agency (NSA). The security breaches suffered by these and many other organizations, including most recently the consolidated attacks on banks around the world, combined with an 80 percent increase in attacks in just the last 12 months, have catapulted cybersecurity to the top of the list of priorities and responsibilities for senior executives and board members.

The devastating effects that a security breach can have on an enterprise, coupled with the bright global spotlight on the issue, have forever removed responsibility for data security from the sole province of the IT department and CIO. While most in leadership positions today recognize the elevated importance of data security risks in their organization, few understand what action should be taken to address these risks. This white paper explains and demystifies cybersecurity for senior management and directors by identifying the steps enterprises must take to address, mitigate, and respond to the risks associated with data security.

Officers and Directors are Under a Legal Obligation to Involve Themselves in Information Security

The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an active role in establishing correct governance, management, and culture for addressing security in their organizations.

Download This White Paper

ARTICLE BY

Chanley T. Howell
James R. Kalyvas
Michael R. Overly
OF
Foley & Lardner LLP

Responding to the Anthem Cyber Attack

Proskauer Rose LLP, Law Firm

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that theHealth Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media.  Where HIPAA applies, the notifications will need to be made “without unreasonable delay” and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, “own” the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.

ARTICLE BY

Roger A. Cohen
Paul M Hamburger
Kristen J. Mathews
Ellen H Moskowitz
Richard J Zall
OF
Proskauer Rose LLP

Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device

Risk-Management-Monitor-Com

Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.

ARTICLE BY

Risk Management Magazine
OF
Risk and Insurance Management Society, Inc. (RIMS)

SEC Sanctions Operator of Unregistered Virtual Currency Exchanges

Katten Muchin Law Firm

On December 8, the Securities and Exchange Commission sanctioned a computer programmer for operating two online exchanges that traded securities using virtual currencies without registering them as broker-dealers or stock exchanges. The programmer, Ethan Burnside, operated the two exchanges through his company, BTC Trading Corp., from August 2012 to October 2013. Account holders were able to purchase securities in virtual currency businesses using bitcoins on BTC Virtual Stock Exchange and using litecoins on LTC-Global Virtual Stock Exchange. The exchanges were not registered as broker-dealers but solicited the public to open accounts and trade securities. The exchanges also were not registered as stock exchanges but enlisted issuers to offer securities to the public for purchase and sale. Burnside also offered shares in LTC-Global Virtual Stock Exchange itself, as well as interests in a separate Litecoin mining venture, LTC-Mining, in exchange for virtual currencies. The SEC charged Burnside with willful violations of Sections 5(a) and 5(c) of the Securities Act of 1933 and Burnside and BTC Trading Corp. with willful violations of Sections 5 and 15(a) of the Securities Exchange Act of 1934. Burnside cooperated with the SEC’s investigation and settled, paying more than $68,000 in profits plus interest and a penalty. The SEC also barred Burnside from the securities industry.

The action may indicate that the SEC is taking a closer look at decentralized platforms for trading virtual currency using cryptocurrency technology, but the SEC has neither confirmed nor denied such speculation. In recent months, the SEC has reportedly sent voluntary information requests to companies and online “crypto-equity exchanges” offering equity and related interests denominated in virtual currency and websites offering digital tokens for programming platforms. A discussion of the SEC’s voluntary information sweep is available here.

Click here to read the SEC Press Release and here to read the SEC order.

ARTICLE BY

Evan L. Greebel
Kathleen H. Moriarty
Michael M. Rosensaft
Claudia Callaway
Robert Loewy
Gregory E. Xethalis
OF
Katten Muchin Rosenman LLP

Cyber and Technology Risk Insurance for the Construction Sector

Much Shelist law firm logo

The recent, well-publicized retail store data breach controversies have spawned a number of lawsuits and insurance claims. Not surprisingly, insurers have responded with attempts to fight claims for coverage for such losses. Insurance underwriters are carefully monitoring decisions being handed down by courts in these lawsuits. All of this activity has led to a new emphasis on cyber and technology risk and assessments, as well as on insurance-program strategies.

These developments have ramifications for the construction industry that include, and go well beyond, the data-breach context. Contractors, design professionals and owners may find that in addition to losses caused by data breaches, other types of losses occasioned by technology-related incidents may not be covered by their existing insurance programs.

Specifically, insureds may find themselves with substantial coverage gaps because:

  • data and technology exclusions have been added to general liability policies.

  • such losses typically involve economic losses (as opposed to property damages or personal-injury losses) that insurers argue are not covered by general liability policies.

  • data and technology losses may be the result of manufacturing glitches rather than professional negligence covered by professional liability policies.

Coverage for claims involving glitches, manufacturing errors and data breaches in technology-driven applications — such as Building Information Modeling (BIM), estimating and scheduling programs, and 3D printing — may be uncertain. A number of endorsements are currently available for data breach coverage, but insurers don’t necessarily have the construction industry in mind as they provide these initial products.

In addition, there is no such thing as a “standard” cyber liability policy, endorsement or exclusion. Insurers have their own forms with their own wording, and as seemingly minor differences in language may have a significant impact in coverage, such matters should be run past counsel.

Construction insurance brokers are telling us that insurers are in the process of determining how to respond to cyber and technology risk claims, what products to offer going forward, and how to underwrite and price these products. Keith W. Jurss, a senior vice president in Willis’s National Construction Practice warns:

“As the construction industry continues to identify the unique “cyber” risks that it faces we are identifying gaps in the current suite of “cyber” insurance coverages that are available.  In addition, new exclusionary language related to cyber risk under CGL and other policies adds to the gap.  The insurance industry is slowly beginning to respond with endorsements that give back coverage or new policies designed to address the specific risks of the construction industry.

“As we identify cyber insurance underwriters willing to evaluate the risks specific to the construction industry, we are seeing the development of unique solutions in the market. There is, however, more work required and as construction clients continue to demand solutions the industry will be forced to respond.”

Consequently, this is a time to stay in close touch with qualified construction insurance brokers who understand the sector and have their hands on the pulse of the latest available cyber and technology risk products. As these products become available, clients may also want to consider what cyber and technology risk coverage to require on projects and whether to include these requirements in downstream contracts.

ARTICLE BY

Josh M. Leavitt
OF
Much Shelist, P.C.