by

padlock-cybersecurity-300x203

 

Welcome to the second article in our series of blogs about blockchain technology and its impact on business practices, corporate governance and cybersecurity.

 

 

In Robert Braun’s article, Cryptocurrencies – Does the Next Big Thing have Staying Power?, published by FinTech Weekly, he describes four challenges that arise in the use of cryptocurrencies, and potentially in other blockchain applications: volatility, criminal activity, security issues, and human error.  He writes:

“Cryptocurrencies – not just bitcoin, but any of the hundreds of different currencies that have been created using blockchain technology – have caught the imagination of the public.  There are, seemingly, daily articles that predict either the demise of all traditional currencies in favor of cryptocurrencies, and just as many articles predicting the demise of cryptocurrencies.  While cryptocurrencies are just one of the many uses of blockchain technology, the challenges cryptocurrencies face may reflect hurdles for other uses of bitcoin. With that in mind, four challenges arise in the use of cryptocurrencies, and potentially in other blockchain applications.”

To read the full article, see Cryptocurrencies – Does the Next Big Thing have Staying Power?

To read the first blog in this series on blockchain technology, see So, What is This Blockchain Thing?

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

by

LOS ANGELES—Michael A. Gold, co-chair of the Cybersecurity & Privacy Group at Jeffer Mangels Butler & Mitchell LLP (JMBM), was recently named by the Daily Journal as one of California’s Top 20 Cyber – Artificial Intelligence lawyers.

In the Daily Journal’s profile, Gold discussed the disconnect that may occur between technology staff and corporate executives in developing and implementing cybersecurity measures within an organization. Describing his role in bridging the divide, Gold explained: “I develop a presentation to the ultimate business decision makers that addresses the organization’s cyber threats. Then I’ll analyze the urgency and needs. At that point, we talk about options.”

READ THE PROFILE HERE

About JMBM’s Cybersecurity & Privacy Group
JMBM’s Cybersecurity and Privacy Group provides businesses with comprehensive coverage of all substantive areas of data security and privacy, including information technology, financial, health, employment and personal privacy, litigation, and technology transactions. Contact Michael A. Gold, MGold@jmbm.com.

About the Daily Journal
The Daily Journal is California’s largest legal newspaper. Published daily, it includes breaking news and exclusive coverage of California legal affairs, California law firm news, updates on business transactions, and special reports throughout the year.

by

This article was originally published by Hotel Business Review and is reprinted with permission from www.hotelexecutive.com.

Almost as soon as there were data breaches, hotels became a prime target of hackers, and the hospitality industry has consistently been one of the most commonly targeted businesses. Since 2010, hotel properties ranging from major multinational corporations to single location hotels have been impacted.

The recent report that Hyatt Hotels was a victim for the second time in as many years has raised more concerns about the industry’s ability to address cybersecurity. While consumers are so used to receiving breach notices that “breach fatigue” has set in, the second successful attack on Hyatt is sure to raise the eyebrows of regulators, plaintiffs’ lawyers, and guests. The data breach will affect the loyalty, trust and consumer perception of all Hyatt Hotels guests. So how can hotels prove to guests that they are safe and trustworthy?

“While the company claims that it has implemented additional security measures to strengthen the security of its systems, no explanation was given as to why these additional measures were not implemented after the first attack,” said Robert Cattanach of Dorsey & Whitney. “Estimates of actual harm have yet to be provided, which is typically the weak spot of any attempted class action, but the liability exposure seems problematic regardless.”

Hyatt is in no way alone. On November 2, 2017, the BBC reported that Hilton was fined $700,000 for “mishandling” two data breaches in 2014 and 2015. The attorneys general of New York and Vermont said Hilton took too long to inform their guests about the breaches and the hotels “lacked adequate security measures.” Hilton discovered the first of the two breaches in February 2015 and the second in July 2015, according to the article, but the company only went public with the breaches in November 2015. The company has said there is no evidence any of the data accessed was stolen, but the attorneys general said the tools used in the data breaches made it impossible to determine what was done. Continue reading

by

Today’s blog is written by my partner, Louise Ann Fernandez, Chairperson of JMBM’s Labor & Employment Group. Louise Ann helps companies put hiring and employment policies in place — and develops training programs — that help to protect the business against cyber threats.  — Michael A. Gold

Could We Have Seen This Coming?
The Importance of HR to Cybersecurity

Louise Ann Fernandez, Chair, JMBM’s Labor & Employment Law Group

After a cybersecurity breach, second guessing can often turn into a blood sport. The business often blames Human Resources and the HR department is quick to say that they were not given enough information or blames IT. This kind of tension is far too common and nonproductive. Communication and creativity on all sides are essential to identifying and  preventing cybersecurity threats. This article discusses some  simple proactive steps that you can take now to help you recognize potential issues before it’s too late.

IT Hiring

Your IT department is both your first line of defense and greatest vulnerability. Do you really know who is working there? We will cover hiring in general and its role in preventing cybersecurity attacks in another blog, but often problems come because of bad hiring choices in the IT department.  Because there is a shortage of qualified IT personnel and immediate needs must be met, warning signs are often overlooked. Both HR and IT must be trained to carefully analyze the credentials of all IT applicants. You need to look for gaps in employment history, too much job hopping and things that seem inconsistent such as career changes or abnormal job progression. Most importantly, you must do careful reference checks. Do not rely on the headhunter to provide references or do reference checks. They have a conflict and will not be as careful as you would like. References can easily be faked. For example, don’t accept just cell phone numbers. They could be giving you their brother’s number. Ask employees to provide work numbers for all references and call the human resources department of each prior employer to get dates of employment. Although there are more and more restrictions on background and criminal checks, they can still be done if you follow the rules. Make sure you do them. Also, do a careful social media check to see what their online presence looks like. Key warning signs are signs of second jobs that conflict with your business, angry  posts, alternate identities such as “stage names,”  peculiar political affiliations and overactive Twitter or Instagram accounts. Make sure you know all of their email addresses. Continue reading

by

 

padlock-cybersecurity-300x203

First in a series of blogs about blockchain technology and
its impact on business practices, corporate governance and cybersecurity

It’s hard to avoid articles, white papers, blog pieces and presentations that promote the almost magical use of blockchain – it seems that blockchain, a form of distributed ledger technology, can be applied to virtually any situation, and best of all, it is entirely secure.  As Don and Alex Tapscott wrote in Blockchain Revolution, “The blockchain is an incorruptible digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value.”

One aspect of blockchain technology has become highly debated – whether it is as secure as its proponents claim.  Since it seems inevitable that blockchain technology will be used to drive a variety of transactions, and not simply cryptocurrency, the JMBM Cybersecurity and Privacy Group has examined the technology and its impact on data security and corporate governance.

But before we can discuss the benefits and pitfalls of the technology, we have to answer a threshold question: what is a blockchain? Continue reading

by

At the airport, in a coffee shop or hotel lobby? Think twice before logging on to that free Wi-Fi.

What’s not to love about free, public Wi-Fi?  It’s free. It’s easy. A couple of clicks and you’re connected to the world.

When you’re on the go, there will always be a need to check your email, send a document to a client, touch base with someone in the office, or review the balance in your bank account. You can take care of life’s business from almost anywhere, and public Wi-Fi makes it easy.

Its ease of use makes it a boon to hackers, as well. While you’re taking care of business, so are they.

Earlier this week, I was interviewed by Leonard Lee of Thomson Reuters Legal Current for a 20-minute podcast titled “Dangers of Public Wi-Fi”.  We discussed some of the things that can happen when you’re using public Wi-Fi, including:

  • Spoofing. Rogue computers can spoof you, pretending to be something they’re not, and capture your data when you click on their link.
  • Capturing passwords. More sophisticated hackers can enter your device stealthily and monitor everything you do (capturing keystrokes to passwords, for example).
  • Depositing malware. Hackers can also deposit malware into your computer. This can endanger not only your own data – if you’re connected to your company’s network you’re risking the integrity of data shared by everyone back in the office.
  • Peeking the old fashioned way. And remember, in a public place it’s still possible for hackers to perform a hack the old fashioned way – by looking over your shoulder and reading your screen.

The safest way to go? Don’t use public Wi-Fi. Continue reading

by

LOS ANGELES—Jeffer Mangels Butler & Mitchell LLP (JMBM) is pleased to announce that Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group and co-author of the Cybersecurity Lawyer Forum, has been nominated by the Los Angeles Business Journal as a “Leader in Law” in the area of Cybersecurity.

“From the time the Internet began to play a role in doing business, I have been helping clients protect critical data and comply with privacy laws,” said Gold. “The complexity of cybersecurity issues is ever expanding, creating challenges for businesses and interesting work for their lawyers. I am grateful that the Los Angeles Business Journal has recognized cybersecurity as an important area of legal practice, and that I have been nominated for this prestigious award.”

Gold counsels businesses with respect to data breach responses and investigations, crisis management, development of computer-based information retention systems, forensic investigations of computer systems, and computer and internet privacy matters. He also assists businesses in developing and implementing information management and governance best practices and developing policies and compliance structures for protecting personal and company information. Continue reading

by

The cybersecurity breaches this month of Equifax and Deloitte—both firms that tout the value of their data and security acumen—show that no company is immune to hacking.

But there is one thing that smart companies can do, both before and during a breach, and that is to develop and deploy an appropriate narrative when a security disaster strikes. That narrative needs to hew to the facts, take into account the known unknowns, and appeal not to shareholders or the press but to customers and regulators. Done right, these statements can differentiate between a recoverable data breach and a cybersecurity-related corporate disaster.

What makes this so difficult for companies and CEOs is that the right response often goes against all they’ve learned about positioning the company. Let’s dissect those impulses.

  1. Shareholder value is intact. A company sees shareholders as its most important constituency and wants to reassure them. Actually, you have no idea the impact on shareholder value, because you have no idea the full extent of the breach, how the market will receive it, and how customers and regulators will react. Incorporating this concept into any narrative is ill-advised at best.
  2. We have this under control. Company leaders do not want to exhibit weakness. However, as part of an initial statement, there is only a remote chance that the situation is under control. It takes time to learn the extent of a breach, both its breath, duration, and ultimate impact. Far better to say you are working with experts, regulators and consumer advocates to understand the extent of what may have been compromised, and that you are pushing forward diligently in this regard.
  3. We are doing all we can to mitigate the effects. Company executives often have a bias toward action. You may want to do that, but that’s impossible until you discover the scope of the data loss. Regulators are not interested in immediate solutions. They want to know that you are doing all you can to learn about the situation, not the specifics about the Band-Aids or tourniquets. They want to know your long-haul commitment.

Continue reading

by

cybersecurity-umbrella-protecting-businessman-300x300

Small businesses understand that they are challenged with all the cybersecurity issues that large companies face. But often they fail to act preemptively under the false assumption that the resources of a large company are necessary to manage cyber threats.  Small businesses are often surprised to learn that effective cybersecurity strategies are within their reach and that, in many cases, small businesses can respond to threats faster and more effectively than large companies.

I recently participated as a speaker for a conference focused on the future of cybersecurity and how small businesses can protect themselves. Ariento’s Up on Cyber 2017 Conference at the UCLA James West Alumni Center was attended by numerous small business owners, and I enjoyed the informed questions posed by the audience.

You can view a video of my 45-minute presentation, the Current Landscape of Cybersecurity Law as it Relates to Small Businesses, in which I cover the following issues:

  • What’s new in data threats
  • Where do your obligations and liabilities come from
  • Privacy Policies – protection and threat
  • Risk Assessment – the first step to risk reduction
  • Cyberinsurance – what and why
  • Responding to a data breach

Like businesses of all size, small businesses are at risk of being hacked. The threat of compromising customer and employee privacy, and the possibility of losing their reputations – not to mention their businesses – are good reasons that all small businesses should act proactively to put cybersecurity programs in place.

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

by

There may be much more missing than the headlines suggest.

Some 30 million people watched the Season 7 premiere of “Game of Thrones,” according to its creator, HBO. It’s one of the hottest media properties in years.

The popularity of the show, and HBO’s other properties, made HBO the perfect target for attention-hungry hackers who breached HBO’s systems this summer and made off with a script for a future episode and a reported 1.5 terabytes of other information–an astounding amount of data. By comparison, the 2014 Sony hack, which disclosed troves of embarrassing corporate emails and led to the departure of the company’s co-chair, was 200 gigabytes. The HBO breach is roughly seven times larger.

The size of the breach made us question – is this incident more than a spoiler for Game of Thrones and unreleased episodes of several other HBO shows?  Or did the hackers have something else in mind?  And it points out a sobering fact about many cybersecurity breaches: despite the best forensics, it can be hard to quantify their scope and know the true boundaries of what data has been taken or otherwise compromised.

The question was answered a few days later when the hackers demanded a multi-million dollar ransom to prevent the disclosure of more episodes of more shows and damaging emails and other information – and, to prove their point, released personal phone numbers of Game of Thrones actors, emails and scripts.  HBO and the hackers are now in negotiations, with the hackers demanding “our six-month salary in bitcoin”, claiming they earn $12 to $15 million  a year from blackmailing organizations whose networks they have breached. Continue reading