New York Settles EmblemHealth Breach for $575,000

The recent $575,000 settlement with EmblemHealth signals a push from AG Schneiderman “for stronger security laws and hold[ing] businesses accountable for protecting their customers’ personal data.”  Noting New York’s “weak and outdated” security laws, AG Scheiderman used the settlement to urge for the swift passage of the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) introduced by his office in November 2017, which would make New York one of the most protective states in terms of data privacy and security. Continue Reading

Power Company Slammed With Hefty $2.7M Fine After Data Breach

An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network. Continue Reading

Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder

Taking further steps into the world of cryptocurrency, two entities of the federal government recently took legal action against BitFunder, a now-defunct Bitcoin exchange, and its founder, Jon Montroll. The Securities and Exchange Commission filed civil charges against BitFunder and Montroll, and the U.S. Attorney’s Office in Manhattan brought criminal charges of perjury and obstruction of justice against Montroll, who was arrested and taken into custody. BitFunder was an exchange that, among other things, empowered its customers to create and trade Bitcoin denominated shares of enterprises. The numerous allegations and charges against the defendants include: Continue Reading

Privacy, Data Security, and Your Board: Day Five

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will expect this of you, especially as more and more data security issues receive top billing in the news. The board will want to make sure buyers have done their jobs and have looked at and understand the type of personal information the target acquisition collects and stores, how it protects such personal information, and the details surrounding any prior data security breaches suffered by the target. If divesting a company, expect that the other side will ask similar questions about privacy and data security. Boards, in thinking about their duty of care and oversight of privacy and data security matters, will want to make sure that these issues are not forgotten in the M&A process. For our prior post on this topic, click here for day one, here for day two, here for day three, and here for day four. Continue Reading

Privacy, Data Security, and Your Board: Day Four

In our fourth installment of privacy, data (cyber) security, and your board, we look at crisis management and data breach issues. As part of providing appropriate duty of care and oversight, board members will want to ensure that the company has an incident response plan in place. They should review and understand the plan. They should want to make sure that the plan actually works. Is it being followed when an incident arises? Can it be followed? Has the response team practiced? And what about when the plan is deployed? Namely, when a cyber incident arises? Keep privilege in mind when talking to the board, for example by having legal counsel conduct investigations and communicate with the board. For our prior post on this topic, click here for day one, here for day two, and here for day three. Continue Reading

Privacy, Data Security, and Your Board: Day Three

In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage as well. Knowing what those gaps are is important. And just as it is important to have a broker with cyber experience, it is also important to seek assistance from cyber counsel during the application process to avoid overstatements or misstatements and to ensure the company is purchasing the appropriate cyber policy based on the company’s cyber risk levels. In addition to cyber insurance coverage, another third party issue that often comes up in the privacy and data security space is vendor management. Board oversight of vendor management has become the new normal. What should boards expect? What are practical aspects of effective vendor management?  Limiting vendor access to critical network segments, setting cybersecurity policies and standards for your vendors, ensuring your vendor contracts comprehensively address privacy and data security risks, incidents, liability, and insurance are all things boards should be increasingly focused on. For our prior post on this topic, click here for day one and here for day two. Continue Reading

Privacy, Data Security, and Your Board: Day Two

In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board members best address this? Boards will need to understand what their organizations are doing to address and respond to privacy and data security risks, threats, and incidents. They will need to be regularly informed of such efforts, and should monitor compliance. Simply assuming the Company’s IT/IS department has it handled will no longer suffice. For our prior post on this topic, click here. Continue Reading

SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance

On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed. Continue Reading

Privacy, Data Security, and Your Board: Day One

This week we are focusing on how to talk to boards about privacy and data security issues. Typically a starting point for lawyers is convincing those in a corporation why a board should care about privacy and data security. Or a board member about why she should care about privacy and data security. There are several reasons, but a few that have resonated the most when we talk to board members are the following. Namely, that regulators require or expect Board oversight, and board members can face potential liability for oversight failures. Board members generally have a fiduciary duty of care, which requires them to be informed by asking the right questions and requesting the right information. How can board members best manage these responsibilities? They can consult with counsel and other experts, when needed, and take sufficient time during meetings to discuss and understand the company’s approach to data privacy and security and consider alternative courses of action, if necessary. Continue Reading

Justice Department Creates Cyber-Digital Task Force

On February 20, the Department of Justice announced that Attorney General Sessions had created a new, cross-departmental Cyber-Digital Task Force. He directed the Task Force to advise him on the most effective ways for DOJ to confront cyber threats and keep Americans safe. Specifically, the Task Force is charged with canvassing the work the Department is already doing on cyber, and making recommendations on “how federal law enforcement can more effectively accomplish its [cyber] mission.” He asked for a report from the Task Force by June 30. Continue Reading