Categories & Search

Are Bug Bounty Programs Worth It?

Almost weekly, it seems there is another news article about a bug bounty program sponsored by a major corporation where an amateur hacker – often a teenager – is paid a sizeable sum of money for finding a bug in a company’s operating system or code. Often, these articles describe just how much money these teens make from bug bounty programs; one headline from March 12, 2019 describes how bug bounty programs have made “one teen a millionaire hacker.” In another from February 2019, Apple paid a 14-year-old hacker an undisclosed sum after he found a security flaw in FaceTime.  


FTC Looks to NY’s Cyber Regulation in Proposed Changes to Safeguards Rule

When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.


Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.


MyFitnessPal Data Breach Lawsuit Sent to Arbitration

Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.


DNA Collection: The Next Big Thing in Privacy Litigation?

The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.


GAO Backs “Comprehensive” Privacy Legislation

A recent report by the Government Accountability Office (GAO) is recommending that Congress adopt comprehensive federal data privacy legislation. The GAO’s proposal is, in part, meant to address limitations of the current privacy regulatory landscape, which is mostly piecemeal, industry-specific regulation at both the federal and state levels. The GAO’s 56-page report follows more than a year of interviews with officials from various federal agencies that have taken active roles in data security issues, including the Federal Trade Commission (FTC), Federal Communications Commission, and the Consumer Financial Protection Bureau, as well as stakeholders from industry and academia.


NYS Cyber Regulation: New Rules for Third-Parties

It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations.  Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.


New York’s DFS Cyber Deadlines Loom

It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.


Trade Off Between Privacy and Convenience: Germany’s New Digital Mail Service

In a country renowned for protecting the privacy of its citizens, Germany has undertaken a pilot that does just the opposite. In a trade off between privacy and convenience, German residents can enroll in a digital service where their mail is emailed to them anywhere in the world.


A Shield From Cyber Liability: Integrating SAFETY Act Protections Into Institutional Cyber Governance

An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.


The New York Times Features Op-Ed by Craig Newman: "Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement"

The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”

To read the full article, click here.


Illinois Biometric Law: Scanning Fingerprints Can Get You Sued

In a ruling with wide-spread implications, the Illinois Supreme Court on Friday upheld a consumer’s right to sue companies for collecting biometric data – such as finger prints and iris scans – without disclosing how such information will be used.


HHS Releases New Cybersecurity Guidance

In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies.


PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed

Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price. 


A Closer Look at California’s New Privacy Regime: Two Critical Definitions

Businesses covered by the recently enacted California Consumer Privacy Act of 2018 (CCPA) are scrambling to comply with the statute, which becomes “operative” on January 1, 2020, unless that date is changed by the California legislature. As we have noted in earlier blog posts, the CCPA is the most sweeping privacy law in the U.S. and has significant implications for any business that falls within its coverage.


State Attorney General Starts Rulemaking Process for California Consumer Privacy Act

Yesterday, by e-mail and on its website, the California Department of Justice (DOJ) announced that it would hold “six statewide forums to collect feedback” in advance of the rulemaking process for the California Consumer Privacy Act (CCPA).  The announcement did not include proposed rules or regulations, which must be adopted by July 1, 2020.


Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.


SEC Cyber Briefing: Investigation into Wire Fraud and a Look at 2019 Regulatory Initiatives

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.


New York AG Intervenes Again to Protect Children’s Online Privacy

Protecting children’s online privacy remains a point of focus for the New York Attorney General.  That’s the upshot of the recent record-setting settlement with Oath Inc. – formerly AOL, Inc. – for violating the Children’s Online Privacy Protection Rule (COPPA).


ABA Provides Guidance for Law Firm Data Breaches

Lawyers don’t get a free pass when it comes to data security.  In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.

In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.


MGM’s Fight for SAFETY Act Protection Takes a Timeout

MGM Resorts International has hit the pause button in its gambit to shield itself from liability stemming from the October 2017 shooting at the Mandalay Bay Hotel in Las Vegas.

As we reported previously, MGM has brought more than a dozen declaratory judgment lawsuits against the victims in the deadliest mass shooting in modern U.S. history, arguing that claims against the casino giant are barred by federal law. MGM has released a statement saying it hopes to avoid years of litigation by exploring potential settlement options, and adding that “years of protracted litigation is in no one’s best interest.”


Canada’s New Breach Notification Law: A Global Reach?

We’ve blogged previously about the patchwork of state data privacy laws, and the challenges it poses for multinational businesses. Now, U.S. companies need to beware of our neighbor to the north as well: Canada has enacted a new breach notification regulation that may have implications well beyond its geographical borders.


Another State Data Security Law: Ohio Gets in on the Action

Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.

Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.


Bull or Bear? How the Market Reacts to Data Breach News

Last week, Cathay Pacific Airlines Ltd., the Hong Kong-based international airline, disclosed that a hacker had broken into its computer system and accessed personal information for as many as 9.4 million travelers, representing the world’s largest reported airline data breach to date.  Following the announcement, the airline’s shares sank the lowest that they’ve been in almost 9 years – tumbling nearly 7% and losing more than $200 million of in market value.


Another Hack in the Education Sector: 40 Million Records Exposed

A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.

Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for”


Part 2: More from DOJ on Cyber Investigations and Breach Preparedness

This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.”  In the first installment, we looked at DOJ’s recommendations for preparedness.  Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.


FDA Issues “PlayBook” for Medical Device Cybersecurity

The Food and Drug Administration is stepping up its game with respect to the cybersecurity of medical devices. 

On Monday, the agency announced its launch of a preparedness and response “playbook” to address threats to medical device cybersecurity. The move cited an uptick in cyber-attacks and the potential for bad actors to exploit medical devices.


Part 1: DOJ Weighs In on Cyber Investigations & Breach Preparedness

The U.S. Department of Justice is increasing its outreach to the private sector on all things cyber.

Last week, the DOJ’s Criminal Division held a cybersecurity roundtable to discuss challenges in handling data breach investigations. As part of the roundtable discussion, the DOJ issued revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” The Best Practices guidance, summarized below, is the result of the DOJ’s outreach efforts concerning ways in which the government can work more effectively with the private sector to address cybersecurity challenges. The goal of the roundtable discussion, which started in 2015, is to foster and enhance cooperation between law enforcement and data breach victims, and to also encourage information sharing.


California Enacts First-Ever State IoT Security Law

California is leading the pack. Once again.

On Friday, Governor Jerry Brown signed into law SB 327, the first- ever state legislation aimed at governing Internet of Things (IoT) devices.


Sports Data & Cybercrime: Alarm Bells?

Is legalized sports betting the next big thing in cybercrime?

When the U.S. Supreme Court last spring struck the Professional and Amateur Sports Protection Act – the law that barred most states from allowing sports betting – the floodgates opened and everyone seeking to profit from legalized sports gaming staked out their turf. Five states have already passed laws to allow sports betting and 18 others will soon follow suit. The most recent state to open its doors to legalized sports wagering, West Virginia, even plans to allow online sports wagering.


Corporate Behavior, Hackers and Socially-Responsible Investing

Should a public company’s cyber and breach disclosure practices matter to Wall Street and socially-responsible investment funds?

That’s the vexing question posed in a blog post by Audit Analytics, the Massachusetts-based financial research firm.

Socially-responsible investment funds – called ESG funds that focus on environmental, social and governance practices – rely on sustainable, socially conscious investing principles.  ESG portfolio managers consider issues beyond a company’s financial standing before jumping into an investment position such as environmental compliance, working conditions, executive pay and diversity efforts. Audit Analytics asks whether cybersecurity should be added to this list of investment criteria.


FBI Warns Student Data at Risk

Student data is a treasure trove for hackers.

In a recent FBI Alert, the agency warned that the rapid growth of educational technologies combined with the increased collection of student information is the proverbial disaster waiting to happen.


Study Shows Banks Block 80% of Cyberattacks … But is that Enough?

In Accenture’s 2018 State of Cyber Resilience for Banking & Capital Markets study, the consulting firm reported the rate at which cyber-attacks on banking and capital markets firms are successful dropped from 36 percent in 2017 to 15 percent in 2018. Despite the improvement, one in seven cyber-attacks remain successful – begging the broader question of what else, if anything, banks and capital market firms could be doing to protect themselves from attack?


Part II: Hidden Costs of Bug Bounty Programs

Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.


Healthcare in the Cross Hairs: Insider Threat

The healthcare industry has been in the sights of hackers for some time. But a recent survey found that the biggest threat in the sector comes from within.

Verizon has just released its Protected Health Information Data Breach Report and found that 58% of the data security incidents in the industry came from insiders, a number higher than in any other industry. The study is based on an analysis of almost 1400 incidents during 2016-2017 in 27 countries. Almost 75% of the incidents occurred in the U.S.


California Legislature Makes Last-Minute Changes to New Data Privacy Law

As California’s legislative session came to a close late last month, the state’s lawmakers passed SB-1121, approving a series of tweaks to the California Consumer Privacy Act of 2018 or CCPA, the far-ranging data privacy law enacted earlier this summer. The new bill now heads to the governor for consideration.