Articles Posted in Policies and Procedures

by

Web analytics concept - Multicolor versionWhile there is no nationwide cybersecurity program, the Federal Trade Commission has brought more than 50 actions claiming that the cybersecurity practices of a variety of companies in a variety of industries. While these actions have primarily been administrative and resulted in settlements, and the specifics of each order apply only to the company affected, these actions are instructive as to what the FTC expects of cybersecurity programs.  A byproduct of the FTC’s actions is a guide to companies to create better privacy and security policies and programs.  While these cases don’t necessarily identify how to run “gold-standard” programs, they identify what the FTC expects as minimum standards for efforts to protect data.

The FTC has said that most enforcement actions it has brought involve “basic, fundamental security missteps.” Many are human error, but there are also plenty that show deficiencies in cybersecurity risk assessments and programs.  This piece describes baseline guides; companies should consult qualified counsel for specifics. Engaging counsel itself on these issues is a sign to regulators that a company takes cybersecurity seriously. But doing it correctly depends on engaging top legal counsel and experienced advisors early on.

Human Factor.  No cybersecurity program is ironclad as long as human error exists and the skills of hackers evolve at the same rate as technology itself. But many cybersecurity breaches are the result of more simple mistakes. The FTC requires “reasonable” efforts, not complete security.

It’s also important to note that cybersecurity solutions are not one-size-fits-all, even for companies within the same industry. Prevention programs depend on the unique circumstances and business practices of each company. Regardless of company or industry, however, a demonstrated commitment to security is required, both to satisfy the government and to protect valuable corporate and customer assets.  Continue reading

by

The Big Data deluge - A businessman tries to crunch the numbers at his desk.pngCybersecurity horror stories tend to focus on government agencies, retail outlets, health care institutions, and other companies serving consumers. But business professionals such as lawyers, accountants and business managers are increasingly at risk of attack, and may be less prepared to handle a cyber assault.

Late last year, three Chinese citizens were criminally charged in the United States with trading on confidential corporate information obtained by hacking into networks and servers of two prominent law firms, reported to be Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, working on sensitive and highly confidential mergers. This was market-moving data, including information on Cravath’s work and information on an acquisition of its client, Pitney Bowes.

Prosecutors said the hackers gained access to the law firm’s computer system using an employee’s credentials. The hackers then installed malware on the firm’s servers to access emails from lawyers, including a partner responsible for the Pitney deal. Similarly, the hackers obtained information about an Intel acquisition from the IT system of its counsel, Weil Gotshal. The hackers made millions of dollars trading on the confidential information about the deals, and exposed the danger law firms and other professional service firms face.

What’s worse, consider this: in all likelihood, there are probably dozens of professional service firms that have experienced cybersecurity breaches and don’t even know it. Continue reading

by

Last year, SEC Chair Mary Jo White named cybersecurity as the biggest risk facing financial markets. But the risk isn’t limited to the financial industry – even a casual review of breach reports in the mainstream press shows that cybersecurity is a risk common to all companies in any industry.  The challenge facing companies is how to prepare for what seems to be inevitable, and how to do it in an efficient and economical basis.

The key element in preparing for a data breach is less a technical matter than a traditional evaluation of business risk.  Companies regularly analyze the risks of business decisions, and just as regularly, recognize that risk analysis requires legal advice.  Evaluating cybersecurity risk is no different – it requires that a company understands the risks it takes, which risks it is willing to assume as part of its business and which risks need to be eliminated or shifted (through insurance, contractual arrangements or otherwise).  Understanding this, obtaining competent legal advice before a breach is a critical aspect of any cybersecurity plan.

Despite this fact, many companies focus their data protection programs in IT, and only bring in their lawyers late in the game to bless their cybersecurity measures. While legal expenses are always a concern, companies will reap a greater return on their overall cybersecurity investment by soliciting advice early on, and stand better odds a breach will be handled correctly and efficiently.

What can cybersecurity lawyers bring to the table?

Hand-in-Glove Collaboration

Perhaps most importantly, legal counsel commonly work with a variety of corporate players and are in a unique position to work hand-in-glove with IT, HR, and other functions to assess and reduce cybersecurity risk while still permitting a company to function efficiently. An experienced lawyer is often the best person to lead a team that establishes key protocols to avoid a breach, including policies and procedures for privacy, confidentiality, mobile device usage, record retention, and breach protocol.  Lawyers are particularly able to address the key elements of an effective cybersecurity plan. Continue reading

by

Cyber risk affects businesses of every size and industry. A data breach can lead to negative publicity, loss of customer confidence and potential lawsuits. There can be a variety of unanticipated – and costly – business disruptions.

Just ask the owners of the Romantik Seehotel Jaegerwirt hotel, in the Austrian Alps, which recently had their systems frozen by hackers, resulting in the complete shutdown of hotel computers. The hackers breached the hotel’s key card system, making it impossible for guests to enter their rooms and preventing the hotel from reprogramming the cards.

The hackers did not scrape guests’ credit card data, as has happened with other hotel data breaches, but instead demanded a ransom payable in Bitcoin. The Romantik Seehotel Jaegerwirt – which was fully occupied at the beginning of ski season – paid the ransom, at which time control of the key card system was restored.

While highly disruptive, it’s easy to imagine how it could have been worse. Fortunately, the hotel located and fixed the backdoor left by the hackers (which the hackers tried to exploit almost immediately) and secured their systems.

Vulnerability to hackers seeking to take control of a building’s system is a very real threat to organizations of all kinds: hospitals, hotels, law firms, research facilities, banks, retailers – virtually any kind of business that is housed in a “smart” building. Continue reading

by

3679571-business-peopleOne of the challenges – perhaps the biggest challenge – to achieving cybersecurity is complexity.  Every day we are faced with new threats as hackers display their creativity and new technologies and approaches to addressing those threats.  Governments, both U.S. and foreign, regularly propose laws and regulations better to protect us – and to confuse us.  And underlying all of it is technical language which seems designed to prevent us from understanding the challenge of cybersecurity.

It’s no wonder that one of the things our clients most often ask is where to start – what is one thing that they can do to start the process of becoming cybersecure.  And the fact is that there is one thing that will put you on the road to cyber security:  Creating a culture of security.

While many firms claim to have a “culture of security,” it’s unclear that they have made the commitment to engage every aspect of their operations, and every one of their personnel, in the goal of creating a cybersecure environment.  Cybersecurity requires a firm to create in each of its personnel a “human firewall.”

An enterprise-wide focus on security requires a focus on people, not on technology.  However important security technology may be – and we do not suggest that a company skimp on its technology budget! – most technological defenses can be overcome by individuals, whether through lack of training, negligence, or malice.  Consequently, bringing individuals into the cybersecure culture and making them stakeholders will have an immediate and measurable impact on cybersecurity efforts.

So, then, how is a cybersecure culture achieved?  A few essential steps are required: Continue reading

by

Cursor Hand On Key Background Showing Blank Copy space Click Here

Cybercrime cost the world economy about $445 billion in 2014 and the 2015 numbers will be even higher. The cost of data breaches will reach $2.1 trillion globally by 2019. Worldwide spending on information security is estimated to reach $77 billion in 2015. In the midst of these astounding numbers, the role of the “human factor” has gotten lost. This is a frightening fact. Why? Because “they will click.” A breach is just one click away – a single person can and will overcome any technological safeguard. This is an unassailable reality, but one that gets mostly lip service by companies.
Continue reading

by and

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss why companies need a cybersecurity training program. The other videos in this 4-part series include: First steps to take when there’s a data breach at your company; Cybersecurity for middle market companies; and Impact of international privacy laws on U.S. companies.

Continue reading

by and

Co-chairs of the Jeffer Mangels Cybersecurity and Privacy Group, Robert E. Braun and Michael A. Gold, discuss cybersecurity for middle market companies. The other videos in this 4-part series include: Why companies need a cybersecurity training program; First steps to take when there’s a data breach at your company; and Impact of international privacy laws on U.S. companies.

Continue reading

by and

Multinational companies often face challenges in enforcing claims against their employees and agents located in foreign jurisdictions. In December 2012, a federal appeals court decision — MacDermid, Inc. v. Deiter, No. 11-5388-cv (2nd Cir. Dec. 26, 2012) — made enforcement a bit easier when a company goes after employees who commit cyber theft beyond U.S. borders.
Continue reading

by and

There is no shortage of advice on how to secure electronic information. Companies can look to pronouncements by state and federal agencies (for example, the recent statements by the California Attorney General and the Federal Trade Commission on mobile application security), private industry (like the Payment Card Industry’s Data Security Standards) and foreign standards (like the European Union Data Protection Directive). There is guidance regarding technical standards, corporate protocols, contracting requirements and others.
Continue reading