Cyber Risk Management and Attorney-Client Privilege in Cybersecurity Discussed on Business Security Weekly

Business Security Weekly, Episode 81, featured Michael Santarcangelo (@catalyst) inviting Shawn Tuma to join as co-host and guest to discuss two topics that should be near and dear to everyone’s hearts:

  1. The legal case for why companies need cyber risk management programs and what experienced cybersecurity attorneys’ roles are in such programs; and
  2. The frequently cited but often misunderstood role of attorney-client privilege in cybersecurity.

Here are the show notes and here is the video:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Can your company do business without its computer system? Let’s ask Atlanta!

Atlanta RansomwareIn the world of cybersecurity and data protection, we tend to think about most cyber incidents as being “data breaches” because that’s the term de jour that occupies news headlines. Because of this, far too many companies think that if they do not have valuable data that hackers would want to “breach,” so to speak, they do not need to be concerned about cybersecurity. While this is wrong on one level because all data has value to hackers, it is even more wrong on a much greater level.

There is a lot more to cybersecurity and data protection than just breaches of the confidentiality of data (i.e., “data breaches“). Hackers have shown a strong trend over the last couple of years of attacking the computer system itself and, as some call it, “bricking” company’s computers and/or data and demanding an extortion payment in exchange for their promise to honor their word and undo the damage (if they even can). This is the process underlying what is often called ransomware.

Do you see where I’m going with this? If not, let me see if I can simplify this process for you a bit with the question below: (1) If you still think your company does not have data that is valuable to hackers, and (2) You still think that means that your company does not need to focus on cybersecurity,

Can your company continue to do business if it is not able to use its computer system?

If you’ve seen the news today you see that the City of Atlanta has had many of its computer systems bricked by ransomware and those business operations that require the use of those systems are now shut down.

Now, let me ask you, “how many days can your company go without doing whatever it is that it does before it really begins to hurt?”

Still need more convincing? Ok, I addressed this issue in more detail in Chapter 5 of The #CyberAvengers Playbook (free to download) — go give it a read.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Marine corp data breach lesson: human error is often the cause and is preventable

There has been a data breach emanating from the U.S. Marine Corps Forces Reserve that impacted 21,426 individuals. The breach exposed their sensitive personal information such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information.

Calm down and press the pause button on the hysteria hype machine — it was not the Russians behind it! It was something far more treacherous when it comes to the real world of data breaches: it was human error.

In this case, it happened when an individual sent an email to the wrong email distribution list and the email was unencrypted and included an attachment that contained the personal information described above. You can read more about the breach here: Major data breach at Marine Forces Reserve impacts thousands

THE TAKEAWAY:  The important lesson to take away is that scenarios such as this are far more common than all of the super-sophisticated “hacking” type over-politicised stuff that we usually hear about through the media. This is the real world of data breach that most companies face far more often than they face state-sponsored espionage. In fact, research into actual data breaches reveals that 90% of all claims made on cyber insurance stemmed from some type of human error and, as reported by the highly reputable Online Trust Alliance, “in 2017, 93 percent of all breaches could have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.” The good news is this type of problem is preventable with some effort.

Below is a checklist of good cyber hygiene that, in reality, all companies should be doing these days. How do you make sure you’re doing it? You develop and implement a cyber risk management program that is tailor-made for your company and is continuously maturing to address the risks your company face — such as my CyberGard™ program.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

FMCNA to Pay $3.5 Million for Non-Compliance with HIPAA’s Risk Analysis and Risk Management Rules

Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and to adopt a comprehensive corrective action plan, in order to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA’s network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

Read the full article on HHS’ website and pay careful attention to the 6 specific issues the OCR’s investigation identified as a basis for the fine:

  1. Failed to conduct an adequate risk analysis.
  2. Provided unauthorized access for a purpose not permitted by the Privacy Rule.
  3. Failed to implement policies and procedures to address security incidents.
  4. Failed to implement policies and procedures for devices containing ePHI inside and outside of the facility.
  5. Failed to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft.
  6. Failed to encrypt ePHI in appropriate circumstances.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).