Really??? Proposed legislation would allow companies to keep some data breaches secret

Let me make sure I have this right … the same company officials who are currently being warned about cyber risk but are not finding it significant enough to act are going to be the ones who determine whether there is a reasonable chance that customers will be harmed — from their data breach — and if, in their judgment there is not, they will not have to go through a breach response? Really???

“The proposed law would require quick disclosure by companies if there is a risk of serious identity theft or fraud, the Wall Street Journal’s Risk & Compliance Journal (sub. req.). But there would be no need for disclosure when company officials believe there is no reasonable chance that customers will be harmed.”

via Proposed legislation would allow companies to keep some data breaches secret.


“This is not a security breach.” Really? IRS hit by cyberattack, thousands of taxpayers’ information stolen

IRSCompare and contrast the following statements:

Thieves managed to steal information on more than 100,000 taxpayers from the IRS,” Commissioner John Koskinen said Tuesday

“’This is not a security breach. Our basic information is secure,’” Mr. Koskinen insisted.

Well, I am glad to know that stealing consumer data from the computer of an entity to which it was entrusted is not a security breach. Nothing to see here. Move along …

Read more: IRS hit by cyberattack, thousands of taxpayers’ information stolen – Washington Times.

CareFirst cyberattack causes data breach of more than 1 million members

“Personal information of more than 1 million current and former CareFirst BlueCross BlueShield members was leaked in a cyberattack on the insurer’s database.” The information exposed included names, birth dates, email addresses, and subscriber identification numbers. The attack was similar to the Premera BlueCross breach, which was hit one month earlier than CareFirst.

Read more: CareFirst cyberattack affects more than 1 million members – Baltimore Business Journal.

AllClear ID

Excellent information and great company: check out AllClear ID’s “Resources” page

I have always been a fan of AllClear ID for being the best of the best at handling breach response logistics but now, I have to give them a shoutout for another reason. AllClear has a Resources page with some of the very best and most well-respected law firm blogs in the world.

While I am certainly not saying it is deserved, it is very much appreciated that they have chosen to include this blog — the Business Cyber Risk Law Blog — among such great company. Go check it out and you will see for yourself why this is such an honor.

Thank you AllClear ID!


FTC Gives Good Reason to Not (Try to) Hide Data Breaches

Why do I need to report a data breach?

FTCThis is a common question that business owners ask me all of the time. In response, I rattle off a laundry list of reasons why reporting is not optional — but mandatory. This includes ethical stewardship and obligations, business and public relationship reasons, and finally legal obligations that make it mandatory.

Some still think I am just Chicken Little claiming the sky is falling, but so it goes as some people just can’t be helped.

Thanks to the FTC, I now have another reason to give them. It fits into the legal obligations requirement and, while implicitly, most of us in this profession knew this all along, it never helps like an agency like the FTC just comes right out and says it: The FTC said that it looks ‘favorably’ on firms that report data breach.

“In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach,” said Mark Eichorn, the agency’s assistant director for privacy and identity protection.

There you go, simple enough? Yes, you must report the data breach. Period. End of story.

Read more via FTC looks ‘favorably’ on firms that report data breach | TheHill.

Cybersecurity Risk: Law and Trends – Ethical Boardroom Article

The law is trending toward more risk of liability for Officers and Directors. Learn more about this from my recent article in Ethical Boardroom — full text available without paywall here: Cybersecurity Risk: Law and Trends.

Bleak Cybersecurity Future: Data Breaches on Track to Cost Companies $2.1 Trillion

I recently posted about how corporate general counsel now view cybersecurity as a top 3 concern. At this rate, it will soon be their #1 concern. A recent article in Corporate Counsel gives several reasons for why this problem will only continue to increase in volume, expense, and overall risk to companies:

  1. Companies continue to move more infrastructure online
  2. The annual cost of data breaches is projected to rise to $2.1 trillion by 2019
  3. Cybercriminals are more often hacking for profit instead of for “causes” as with hacktivism
  4. Nearly 60 percent of data breaches in 2015 are anticipated to be in North America
  5. The average cost of a data breach is projected to exceed $150 million by 2020
  6. Companies are developing quantum computers with so much power they will render ineffective all currently known defenses

Not only should corporate general counsel be concerned about cybersecurity, but so too should companies’ officers and directors because there is a growing trend toward liability for them as well.

Read more: Data Breaches on Track to Cost Companies $2.1 Trillion | Corporate Counsel.