cursor-clicks-red-VIRUS-button-300x225

Any hobbyist will tell you that a proper guide is a must to mastering a craft.  However, a hobby is a part-time occupation; most of us know that our businesses need full-time attention. Because cybersecurity threats can impact core business activities, addressing those threats, especially those known as “social engineering” and cyber scams, is not a mere pastime — it’s a full-time job.

Bad actors use social engineering — the practice of using human interaction (or simulated human interaction) to gain trust — to obtain passwords, access or other information about a company and its security and computer systems. Most notably, “phishing” is a form of social engineering in which emails or websites pose as known and trusted organizations (such as a customer, credit card company or utility) to trick a target consumer. Because the consumer views the organization as a trusted brand, the consumer is more easily duped into providing user information that could compromise their data security.

Fighting bad actors who use social engineering requires constant attention, especially as hackers become more sophisticated.  To keep you informed, here’s an abbreviated field guide of what you might see in the wild this season.

Phishing: Phishing is the most common type of social engineering cyber scam. Attackers use emails, text messaging or social media outreach to trick victims into providing the desired sensitive information, or to visit a seemingly innocent but malicious site, where their system or security can be compromised.

Many phishing scams present the target with a sense of urgency, such as, “update your password now or lose access to your account.” In the wake of  GDPR requirements, some ironically pose as trusted sources asking for approval for or recognition of privacy policy updates. Some distinguish phishing (think of catching many fish in a large trawling net) from spear phishing, in which a specific individual or small groups of individuals are targeted. Either way, it can end poorly for the phished. Continue reading

It didn’t take long.

On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States.

The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways:

  • The Act applies to all personal information, which is broadly defined, not just information collected electronically or collected directly by a firm. Companies will need to consider all of their data acquisition functions, and conform their practices to the Act.
  • The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, personal information explicitly includes a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  And, particularly significant in light of this week’s Supreme Court decision, it includes geolocation data.  This is a far-reaching extension of how personal information has been defined in the United States for privacy purposes.
  • The Act would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
  • The Act includes a private right of action, allowing consumers to seek damages for certain categories of unauthorized disclosures.
  • Business will be required to make disclosures about the information and the purposes for which it is used.
  • Consumers will have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
  • Consumers will have the right to opt out of the sale of personal information by a business, and businesses will be prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • The Act will protect California citizens, and apply to any company that has annual gross revenues in excess of $25,000,000, alone or in combination, or annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or derives 50 percent or more of its annual revenues from selling consumers’ personal information. You should note that these tests are in the alternative, and that it will include many smaller companies.

These are only a few of the provisions of the Act, but it is clear that it has the potential of impacting companies throughout the nation.  Just as California’s initial breach notification act, adopted in 2002, radically changed the privacy landscape, the California Consumer Privacy Act of 2018 is likely to have as important an impact.

The authors of the Act recognize that it will require additional clarifying regulation to implement, and the Act itself authorizes the Attorney General to issue opinions on the scope of the Act.

While the ink on the Act is still wet, it seems clear that the Act reflects many of the requirements of the EU’s General Data Protection Regulation, and complying with the GDPR will put companies at a competitive advantage against those who wait.

The JMBM Cybersecurity and Privacy Group has worked with dozens of companies to establish procedures and policies to achieve GDPR compliance.  For additional information, contact Bob Braun (rbraun@jbmb.com, 310.785.5331) or Mike Gold (mgold@jmbm.com, 310.201.3529).

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right.

It’s often said that one can do something well, or quickly, but not both.  Corporate America is facing a world where the public demands both speed and accuracy; companies have one chance to get it right, and get it right at once.

Consider the two most recent examples: on April 12, two black men were arrested at a Philadelphia Starbucks after they entered the store and failed to place an order as they waited for a friend to arrive. The arrest was videotaped and posted on Twitter, where it immediately went viral. Within two days, CEO Kevin Johnson was apologizing for “a disheartening situation” that led to a “reprehensible outcome.” On May 29, Starbucks closed all its stores in order to train employees on racial sensitivity and implicit bias. Six weeks later, ABC reacted to an inflammatory, early morning tweet by Roseanne Barr within hours, calling it “abhorrent, repugnant and inconsistent with our values,” and cancelled her top-ranked TV show.

The lesson here is that the initial corporate emergency response time to a public relations calamity shrank from two days to several hours in just over a month.

What does this have to do with cybersecurity? Everything.

Cybersecurity and data breach response plans are all about dealing with a fast-moving and soon-to-be public crisis. Notifications, and therefore publicity, are mandatory. The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right. And as we know so painfully from the Equifax breach, that needs to be done correctly the first time round. Equifax notified the public of its data breach – covering more than 143 million people and attacking its core business – a month after it discovered the breach, and when it did, its reaction was widely criticized. Continue reading

By David Ma and Robert Braun

The Securities and Exchange Commission (SEC) could be on target to make 2018 the year of cryptocurrency regulation—or at least the start of it.

In January, Jay Clayton, chair of the Securities and Exchange Commission, and J. Christopher Giancarlo, chair of the Commodity Futures Trading Commission, published an op-ed in which they declared distributed ledger technology (DLT) in need of regulation. They wrote:

“History … has proved that transparency, investor protection and market integrity are critical to ensuring that innovation continues. But today we are seeing substantial DLT-related market activity that shows little or no regard to our proven regulatory approach. This concerns us.”

There’s a fair bit to be concerned about. That month, the global cryptocurrency market, which is highly volatile, surpassed a market value of $700 billion. And the SEC is late to the game. It was only last year that its Enforcement Division created a cyber unit.

Playing catch-up, the SEC followed up this interest with subpoenas in March to more than 80 cryptocurrency companies, including a $100 million fund started by TechCrunch’s founder Michael Arrington, in an effort to gather information on how these cryptofunds operate.

There is growing concern of fraud in the market. Some startups are using cryptocurrency to raise funds, and regulators fear that some Initial Coin Offerings (ICOs) are launched for companies that don’t even exist. Some investors eager for quick profits are likely not investigating the associated risks.

It’s unclear whether securities laws apply to digital coins. The SEC has indicated the regulations do apply, but has not formally laid out how issuers and traders should comply. The SEC has repeatedly said that the vast majority of ICOs should be registered with the agency, in part because the coins trade on secondary markets like other securities that the SEC regulates. Continue reading

human-firewall-people-walled-off-300x207


FinCEN, the Financial Crimes Enforcement Network, has indicated that cryptocurrencies will not get an enforcement “pass.”

By David Ma and Robert Braun

The Treasury Department has outlined its efforts to police electronic currencies in a letter to Sen. Ron Wyden after the lawmaker asked what the department was doing to ensure that Bitcoin and other cryptocurrencies are not being used by criminals to evade banking regulations.

Wyden, D-OR, is the ranking member of the Senate Finance Committee. He communicated his concern to the Treasury Department that cryptocurrencies could, among other uses, allow foreign governments to circumvent U.S. economic sanctions.

In its February 13, 2018 letter to Wyden, which surfaced in March, the Treasury Department reiterated its stance that cryptocurrency companies and trading organizations must comply with laws designed to combat money laundering and the financing of terrorism. To comply, these companies and organizations must investigate customers and report suspicious transactions to authorities.

While the letter does not go into further detail about what this would mean for established cryptocurrencies or Initial Coin Offerings (ICOs), some observers fear that this could mean that ICOs would be required to perform the same “Know Your Customer” (KYC) due diligence that banks do when customers open bank accounts. It also implies that cryptocurrency companies and organizations may have some obligation to monitor transactions made with their cryptocurrency.

But given the anonymous nature of cryptocurrencies, it would be difficult, from a practical perspective, for an ICO to perform the same “know your customer” diligence that a bank does. Continue reading

padlock-cybersecurity-300x203

 

Welcome to the third article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Blockchain: The good, the bad, and how to tell the difference published by FinTech Weekly, he explores two issues about blockchain that trouble many in the business community: “How secure is blockchain, really?” and “Is it too good for criminals”? He also explains the connection between blockchain and climate change, and offers up some guidelines for adopting blockchain (or investing in its technology). He writes:

“Blockchain has been touted as a disruptive technology that can be used to benefit virtually any transaction, ranging from money transmission to supply chain management, to restaurant reservations.  With its promise of highly secure, private and instantaneous transactions, blockchain would seem to enhance any transfer or transaction. But while blockchain technology has caught the imagination of the public, it is based on an extension of existing technologies, not on something truly new.  It is disruptive, but not in the sense that the creation of mortgage-backed securities or the Internet was disruptive.  Those changes created entirely new opportunities and markets; blockchain is a technique that allows for new ways of doing the same thing.  At the same time, cryptocurrencies – by far, the most popular of blockchain applications – has shown the shortcomings in the technology or, at least, in how it has been adopted.”

To read the full article, see Blockchain: The good, the bad, and how to tell the difference

To read the first article in this series, see So, What is This Blockchain Thing?
To read the second article in this series, see The Four Horsemen of Cryptocurrencies: Volatility, criminal activity, security issues and human error

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

padlock-cybersecurity-300x203

 

Welcome to the second article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Cryptocurrencies – Does the Next Big Thing have Staying Power?, published by FinTech Weekly, he describes four challenges that arise in the use of cryptocurrencies, and potentially in other blockchain applications: volatility, criminal activity, security issues, and human error.  He writes:

“Cryptocurrencies – not just bitcoin, but any of the hundreds of different currencies that have been created using blockchain technology – have caught the imagination of the public.  There are, seemingly, daily articles that predict either the demise of all traditional currencies in favor of cryptocurrencies, and just as many articles predicting the demise of cryptocurrencies.  While cryptocurrencies are just one of the many uses of blockchain technology, the challenges cryptocurrencies face may reflect hurdles for other uses of bitcoin. With that in mind, four challenges arise in the use of cryptocurrencies, and potentially in other blockchain applications.”

To read the full article, see Cryptocurrencies – Does the Next Big Thing have Staying Power?

To read the first blog in this series on blockchain technology, see So, What is This Blockchain Thing?

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

LOS ANGELES—Michael A. Gold, co-chair of the Cybersecurity & Privacy Group at Jeffer Mangels Butler & Mitchell LLP (JMBM), was recently named by the Daily Journal as one of California’s Top 20 Cyber – Artificial Intelligence lawyers.

In the Daily Journal’s profile, Gold discussed the disconnect that may occur between technology staff and corporate executives in developing and implementing cybersecurity measures within an organization. Describing his role in bridging the divide, Gold explained: “I develop a presentation to the ultimate business decision makers that addresses the organization’s cyber threats. Then I’ll analyze the urgency and needs. At that point, we talk about options.”

READ THE PROFILE HERE

About JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity and Privacy Group provides businesses with comprehensive coverage of all substantive areas of data security and privacy, including information technology, financial, health, employment and personal privacy, litigation, and technology transactions. Contact Michael A. Gold, MGold@jmbm.com.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done. Continue reading

Today’s blog is written by my partner, Louise Ann Fernandez, Chairperson of JMBM’s Labor & Employment Group. Louise Ann helps companies put hiring and employment policies in place — and develops training programs — that help to protect the business against cyber threats.  — Michael A. Gold

Could We Have Seen This Coming?
The Importance of HR to Cybersecurity

Louise Ann Fernandez, Chair, JMBM’s Labor & Employment Law Group

After a cybersecurity breach, second guessing can often turn into a blood sport. The business often blames Human Resources and the HR department is quick to say that they were not given enough information or blames IT. This kind of tension is far too common and nonproductive. Communication and creativity on all sides are essential to identifying and  preventing cybersecurity threats. This article discusses some  simple proactive steps that you can take now to help you recognize potential issues before it’s too late.

IT Hiring

Your IT department is both your first line of defense and greatest vulnerability. Do you really know who is working there? We will cover hiring in general and its role in preventing cybersecurity attacks in another blog, but often problems come because of bad hiring choices in the IT department.  Because there is a shortage of qualified IT personnel and immediate needs must be met, warning signs are often overlooked. Both HR and IT must be trained to carefully analyze the credentials of all IT applicants. You need to look for gaps in employment history, too much job hopping and things that seem inconsistent such as career changes or abnormal job progression. Most importantly, you must do careful reference checks. Do not rely on the headhunter to provide references or do reference checks. They have a conflict and will not be as careful as you would like. References can easily be faked. For example, don’t accept just cell phone numbers. They could be giving you their brother’s number. Ask employees to provide work numbers for all references and call the human resources department of each prior employer to get dates of employment. Although there are more and more restrictions on background and criminal checks, they can still be done if you follow the rules. Make sure you do them. Also, do a careful social media check to see what their online presence looks like. Key warning signs are signs of second jobs that conflict with your business, angry  posts, alternate identities such as “stage names,”  peculiar political affiliations and overactive Twitter or Instagram accounts. Make sure you know all of their email addresses. Continue reading