Industry: Law Firms

The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses.  These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access.  Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware.  This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.

In recent weeks, we have seen growing threats to cybersecurity and privacy from malicious actors seeking to exploit the COVID-19 pandemic. As companies transition their employees to remote working and focus their efforts on core business continuity, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit vulnerabilities. The need for robust cybersecurity measures is more pressing than ever, and governmental organizations are issuing calls to action.

Over the last year, U.S. companies have been hit with a wave of new data security regulations and agency guidance, ranging from the SEC’s Guidance on Public Company Cybersecurity Disclosures to the European Union’s General Data Protection Regulation (GDPR). 

The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application.  The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.”  Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.

In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach.  In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017.  But is the financial industry ready and equipped to comply with this detailed regulation?  According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice.  They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Justice Shirley Kornreich recently issued one of the few New York state court decisions  that address the Computer Fraud and Abuse Act (“CFAA”).  Spec Simple, Inc. v. Designer Pages Online LLC,  No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017).  The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer.  Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA.  Id. at *4 (citing 18 U.S.C. § 1030(g)).  As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site—without sufficient safeguards—may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.

Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiple revisions.  But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland.  That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

Today, the New York Department of Financial Services (DFS) announced an “updated” cybersecurity regulation that will go into effect on March 1, 2017.  The updated regulation is, in many respects, less stringent than the DFS’s original proposal. 

Today, Reuters reported that the New York Department of Financial Services (“DFS”) will delay the effective date of its new cybersecurity regulation.  According to a “person familiar with the matter,” the DFS will publish a new version of the cyber security regulation on December 28, 2016, and the effective date for the rule will now be March 1, 2017. 

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.
 

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company.  Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom. 

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation.  The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

On July 21st, Patterson Belknap and Berkeley Research Group hosted a Practising Law Institute (PLI) briefing on law firm cybersecurity. 

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek.  Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

When it comes to buying cyber insurance, businesses might be right in taking comfort that they have mitigated the financial risks that come with a data breach.  Just not all of them.

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision.  The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.

With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice.  Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.