Tag: Data breach

Do data breaches have consequences? Will Equifax CIO serve jail time for insider trading?

Posted on by Shawn E. Tuma

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Richard R. Best, SEC – Atlanta Division

For years many in the cybersecurity/data breach space have been saying that somebody is going to have to go to jail before corporate decision-makers begin to take cybersecurity as seriously as they should. Many thought the Department of Justice’s focus on individual accountability through the “Yates Memo” may be the vehicle but that has not yet happened.

With the Equifax breach and revelations that three executives had sold stock in the company before the breach was announced publicly, we saw an outcry against what was believed to be insider trading and calls for the executives to face jail time:

Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.

The lawmakers signed a letter asking the U.S. Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission to look into about $1.8 million in stock sales by three executives between July 29 – the day Equifax said it learned that its systems were hacked in mid-May – and when they made it public last week.

“If that happened, somebody needs to go to jail,” Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”

gate-191675_1920As it turned out, however, the sale of stock by those Equifax executives was found to have been properly approved and they did not know of the data breach at the time of the sale, so it was not the problem that many had suspected.

Criminal Charges Filed Against Former CIO of Equifax Unit

For one former Equifax executive, however, his actions were not quite so innocent and may now give rise to the closest chance yet of someone actually getting jail time as a consequence of a data breach:

If these allegations are true, this certainly sounds like insider trading. As stated by Richard R. Best, Regional Director of the Atlanta Regional Office of the SEC, “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

Best’s sentiments were echoed by David J. LeValley, Special Agent in Charge of FBI Atlanta: “By prosecuting cases like this, the FBI and the U.S. Securities and Exchange Commission are sending a strong message to company insiders that they must follow the same rules that govern regular investors. Otherwise, they face the severe consequences for failing to do so.”

Severe consequences can mean many things. What everyone is really wanting to know is whether Ying actually serve any jail time. If he does, this case will be a game-changer that moves the needle of data breach consequences significantly upward. We will not know the answer to that question until he is convicted (or enters a plea agreement) and sentenced. Some articles state that Ying is facing up to 25 years in jail on the charges. Neither the SEC nor DOJ press releases state how long of a sentence is being sought.

As far as real-life insider trading cases where people have actually been sentenced to jail go, a Wall Street Journal post from 2014 discussing the longest insider trading sentences has the top 5 longest sentences ranging from 12 years down to 7 years. Comparing the amount of money involved in those cases to the $117,000 in losses that Ying avoided makes this cases relatively small. I doubt we will see anything approaching those sentences.

If the question, however, is not how much jail time will Ying get but whether he will get any jail time, I think both the SEC and DOJ have been looking for the right poster child to make an example out of and Ying may have drawn the short straw. Let’s see …

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Do data breaches have consequences? Law firm closes due to irreparable damages to its reputation

Posted on by Shawn E. Tuma

The once prestigious 40-year law firm Mossack Fonseca, infamously known for its data breach that revealed the Panama Papers, is closing at the end of the month. The reason, in its words:

“The reputational deterioration, the media campaign, the financial siege and the irregular actions of some Panamanian authorities have caused irreparable damage, whose obligatory consequence is the total cessation of operations to the public.”

What led to all of that? Its data breach, of course.

Full article: Mossack Fonseca to close doors at end of month

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Marine corp data breach lesson: human error is often the cause and is preventable

Posted on by Shawn E. Tuma

There has been a data breach emanating from the U.S. Marine Corps Forces Reserve that impacted 21,426 individuals. The breach exposed their sensitive personal information such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information.

Calm down and press the pause button on the hysteria hype machine — it was not the Russians behind it! It was something far more treacherous when it comes to the real world of data breaches: it was human error.

In this case, it happened when an individual sent an email to the wrong email distribution list and the email was unencrypted and included an attachment that contained the personal information described above. You can read more about the breach here: Major data breach at Marine Forces Reserve impacts thousands

THE TAKEAWAY:  The important lesson to take away is that scenarios such as this are far more common than all of the super-sophisticated “hacking” type over-politicised stuff that we usually hear about through the media. This is the real world of data breach that most companies face far more often than they face state-sponsored espionage. In fact, research into actual data breaches reveals that 90% of all claims made on cyber insurance stemmed from some type of human error and, as reported by the highly reputable Online Trust Alliance, “in 2017, 93 percent of all breaches could have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.” The good news is this type of problem is preventable with some effort.

Below is a checklist of good cyber hygiene that, in reality, all companies should be doing these days. How do you make sure you’re doing it? You develop and implement a cyber risk management program that is tailor-made for your company and is continuously maturing to address the risks your company face — such as my CyberGard™ program.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What is “reasonable cybersecurity” and how do courts view it? (SecureWorld interviews)

Posted on by Shawn E. Tuma

What is “reasonable cybersecurity” and how do courts view “reasonable cybersecurity”?

See KnowB4’s discussion of these interviews

These are two excellent questions that I was asked and I answered, as succinctly as I could, in two short interviews with SecureWorld. Tell me what you think about my answers.

What Is Reasonable Cybersecurity? – SecureWorld article

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018 – SecureWorld article

Here are the videos.

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s CISO Makes Case for Uniform National Data Breach Notification Law

Posted on by Shawn E. Tuma

UberUber’s Chief Information Security Officer (CISO), John Flynn, made a case for a uniform national data breach notification law in his testimony to members of Congress (see penultimate paragraph of full written testimony):

I would like to conclude by stating that we strongly support a unified, national approach to data security and breach standards. We are proactively engaged in the many conversations in both the technical and policy communities to help identify what the critical components of federal data breach legislation should be, and are pleased to see this robust conversation taking place with various Members of Congress and your staff. We welcome the opportunity to be at the table to help all stakeholders understand the best practices.

I agree!

NTSC LogoIf you are a CISO of a company and are interested in participating in this discussion, please considering joining the National Technology Security Coalition (NTSC) in this effort to get an appropriate uniform federal data breach notification law passed. (Disclaimer, I am a member of the NTSC’s Policy Counsel and will be assisting in drafting proposed legislation.)

See these related posts:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

State data breach notification law mishmash would get worse with proposed NC and SD legislation — is instant notification by clairvoyant next?

Posted on by Shawn E. Tuma

electrical-cable-mess-2654084_1920The push for a single uniform national data breach notification law gained strength in the wake of the Equifax breach. Now proposed legislation in North Carolina would amend its law in a way that would add momentum to this push. And, now South Dakota is tired of being one of only two states without a breach notification law and wants to abandon Alabama and join the other 48 states by getting a law of its own.

See Why Do Data Breach Disclosures Take So Long? Let’s Ask the SEC Chairman

North Carolina, in a never-ending race to see which state can come up with the most impractical breach notification law, has proposed legislation that would (1) now requiring that companies notify consumers and the state Attorney General of data breaches within 15 days; and (2) adopt the HHS’ view under HIPAA that a ransomware attack is a data breach that requires notification and reporting. You can read more details about the new law here, but this is enough to help you see why even this Texan believes we need a federal breach notification law in place before some state requires instantaneous notification of consumers by a clairvoyant.

South Dakota’s proposed legislation is at least generally consistent with the existing laws of many of the other 48 states. It would require companies to notify its residents whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person, within 45 days from the discovery or notification of the breach. Breaches affecting more than 250 of its residents would require notifying the state’s Attorney General as well. You can read more details about the proposed law here.

Under the proposed laws for both the North Carolina and South Dakota, the failure to comply with the breach notification requirements would be a violation of the respective states’ deceptive trade practices laws.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

Happy Data Privacy Day!

Posted on by Shawn E. Tuma

WHAT ARE YOU DOING TO OBSERVE IT?

Data Privacy DayToday is Data Privacy Day! If you have been wondering “what is Data Privacy Day?” then this is your lucky day because not only is today Data Privacy Day, but here is the answer and an explanation for why it really matters to you and your company’s future success.

What is Data Privacy Day?

Data Privacy Day is observed every year on January 28 and is led by the National Cyber Security Alliance (NCSA), a nonprofit, public-private partnership dedicated cybersecurity education and awareness. According to the NCSA,

DATA PRIVACY DAY IS AN INTERNATIONAL EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY AND CONTROL THEIR DIGITAL FOOTPRINT.

DATA PRIVACY DAY BEGAN IN THE UNITED STATES AND CANADA IN JANUARY 2008 AS AN EXTENSION OF THE DATA PROTECTION DAY CELEBRATION IN EUROPE. DATA PROTECTION DAY COMMEMORATES THE JANUARY 28, 1981, SIGNING OF CONVENTION 108, THE FIRST LEGALLY BINDING INTERNATIONAL TREATY DEALING WITH PRIVACY AND DATA PROTECTION. DATA PRIVACY DAY IS NOW A CELEBRATION FOR EVERYONE, OBSERVED ANNUALLY ON JANUARY 28.

DATA FLOWS FREELY IN TODAY’S ONLINE WORLD. EVERYONE – FROM HOME COMPUTER USERS TO MULTINATIONAL CORPORATIONS – NEEDS TO BE AWARE OF THE PERSONAL DATA OTHERS HAVE ENTRUSTED TO THEM AND REMAIN VIGILANT AND PROACTIVE ABOUT PROTECTING IT. BEING A GOOD ONLINE CITIZEN MEANS PRACTICING CONSCIENTIOUS DATA STEWARDSHIP. DATA PRIVACY DAY IS AN EFFORT TO EMPOWER AND EDUCATE PEOPLE TO PROTECT THEIR PRIVACY, CONTROL THEIR DIGITAL FOOTPRINT, AND MAKE THE PROTECTION OF PRIVACY AND DATA A GREAT PRIORITY IN THEIR LIVES.

14 Tips For Keeping Your Company’s Data Secure

In honor of Data Privacy Day, the International Association of Privacy Professionals (iapp) has posted an article with 14 tips you need to consider when evaluating how to keep your company’s data secure:

  1. Know Thy Data. Determine what data you collect and share. Classify it according to its level of criticality and sensitivity. What could be considered PII? Define whether data is “in use,” “in motion” or “at rest.” Know where the data is physically stored.
  2. Terms and Conditions May Apply. Make sure your privacy policy reflects current data practices (see Tip #1). This includes the use of third-party advertisers, analytics, and service providers. Periodically review and confirm these third parties comply with your written policies.
  3. You Don’t Know What You’ve Got Till It’s Gone. Conduct annual audits to review whether your data should be retained, aggregated or discarded. Data that’s no longer used needs to be securely decommissioned. Create a data retention policy dictating how long you keep information once it’s fulfilled its original purpose. And, of course, continually ask whether that purpose is still valid and relevant.
  4. Practice or You’ll Breach. Forged e-mail, malvertising, phishing, social engineering exploits and data snooping via unencrypted transmissions are on the rise. From simple controls to sophisticated gears, make sure you’ve implemented leading security “best practices.”
  5. AYO Technology! Data Loss Prevention (DLP) technologies identify vulnerabilities of potential exposures. These work in conjunction with existing security and antivirus tools. From early warnings of irregular data flows to unauthorized employee access, DLP solutions help minimize and remediate threats.
  6. BYOD Is Like a BYOB House Party. The lack of a coherent bring-your-own-device (BYOD) program can put an organization at risk. User devices can easily pass malware and viruses onto company platforms. Develop a formal mobile device management program that includes an inventory of all personal devices used in the workplace, an installation of remote wiping tools and procedures for employee loss notification.
  7. Insist on a List. To mitigate the grave impact on your organization, inventory key systems, access credentials and contacts. This includes bank accounts, registrars, cloud service providers, server hosting providers and payroll providers. Keep this list in a secure yet accessible location.
  8. Forensics – Don’t Do This at Home. The forensics investigation is essential in determining the source and magnitude of a breach. This is best left to the experts as it’s easy to accidentally modify or disrupt the chain of custody.
  9. Where the Logs At? Logs are fundamental components in forensics analysis, helping investigators understand what data was compromised. Types of logs include transaction, server access, firewall and client operating system. Examine all logs in advance to ensure correct configuration and time-zone synchronization. Routinely back them up; keep copies, and make sure they’re protected.
  10. Incident Response Team to the Rescue! Breaches are interdisciplinary events requiring coordinated strategies and responses. The team should represent every functional group within the organization, with an appointed executive who has defined responsibilities and authority. Establish “first responders” available 24/7 (hackers don’t work a 9 to 5 schedule).
  11. Get Friendly With the “Fuzz.” Reach out to law enforcement and regulators prior to an incident. Know who to contact so you won’t have to introduce yourself in the “heat of the battle.” When you have bad news to report, make sure they hear directly from you (a courtesy call goes a long way). Don’t inflame the situation by becoming defensive; focus on what you’re doing to help affected parties.
  12. Rules, Rules, Rules. Become intimately familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate governmental body can result in further inquiries and fines.
  13. What Did You Say? A well-executed communications plan not only minimizes harm and potential legal consequences, it also mitigates harm to a company’s reputation. Address critical audiences and review applicable laws before notifying. Tailor your message by geographic region and demographics. Knowing what to say is just as important as knowing what NOT to say.
  14. Help Me Help You. Customers want organizations to take responsibility and protect them from the potential consequences of a breach. The DIP should include easy-to-access remedies that offset the harm to affected parties.

Here is a link to the full post: How to Lose Your Data in 10 Days

The 14 tips are a great place to start when thinking about securing your company’s data. As shown by the recent data breaches that have hit Target, Neiman Marcus, Michaels, and Barnes & Noble, the question is no longer one of if your company will have a data breach, but when.

When Your Company is Breached, Your Preparation Will Be Vital to the Company Surviving the Crisis

A data breach is a crisis situation for any company–especially given the amount of attention data breaches are getting these days. From a very big picture perspective, there are two goals to strive for when a company responds to a data breach: (1) avoid, or at least mitigate, any legal and regulatory trouble; and, (2) more importantly, minimize the impact of the breach on the company’s overall business. (see related data breach discussions) The only way your company can achieve these goals is to be proactive by getting prepared before the inevitable occurs–the breach.

If your company is prepared, it is in a much better position to minimize the loss of data, be better able to respond to the breach, and demonstrate to the legal and regulatory authorities that it acted reasonably in protecting its data, which can be very helpful in minimizing the legal and regulatory repercussions, which is the first step. By being prepared and better able to address the first step, the company is then able to focus more of its efforts on polishing its response to be more palatable for its customers and better addressing their feelings and concerns. In other words, if the company is prepared, it is not panicking and scrambling just to get out a response–any response–but instead can take the time to analyze the situation through its customers’ eyes and provide a much better response that takes their feelings and concerns into consideration. This is the vital step because this is what helps preserve the company’s customer relationships.

The best way to be prepared for this is for your company to have a thorough and custom data breach incident response plan. The data breach incident response plan should be tailored to fit your company in many ways, including the following ways just to name a few:

  • the nature of your company’s culture, both internally and externally
  • the nature of your company’s customers
  • the nature of your company’s products or services
  • the nature of your company’s operations and management structure
  • the type, volume, and sensitivity of the data your company collects and retains
  • the security measures your company has in place
  • the resources your company has to devote to data security issues
  • the security standards of your company’s particular industry

Could you figure these things out on your own, with enough time and effort? Probably so — but would that really be efficient? More importantly, and I can not over-emphasize this point enough: You need an attorney to assist you with many of these things because, when done under the guidance of an attorney and if the proper formalities are observed, much of the process can be protected by the attorney-client privilege, but not if you don’t have an attorney assisting with the process.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Allscripts EHR Ransomware Attack is Huge–How Will it Impact Healthcare Practices?

Posted on by Shawn E. Tuma

OCR LogoSee recommendations below

On January 19, 2018, cybercriminals were successful in a ransomware attack on Allscripts, an electronic healthcare record (EHR) provider for healthcare providers across the United States. The attack encrypted some of Allscripts systems and prevented those healthcare providers who use those systems for their EHRs from being able to access their patient records. Not only is there the obvious impact this has had on those healthcare providers’ ability to treat their patients, but also, under HIPAA, the Office of Civil Rights presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless certain criteria are satisfied. (See checklist in this post and this post for further explanation).

TMLT LogoThe Texas Medical Liability Trust (TMLT)’s blog post, Allscripts EHRS Falls Victim to Ransomware Attacks, goes into much greater detail in describing the facts of this event and what has taken place since the initial attack. The blog also provides an excellent analysis of the Business Associates considerations in a situation such as this and the post features several important recommendations for what practices need to do now from my friend and excellent cybersecurity and data privacy attorney Adrian Senyszyn (LinkedIn) and myself. So, what are you waiting for, go read the TMLT post … and hope and pray that you planned ahead and have cyber insurance!

See Also:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

The Most Positive Cybersecurity Trend I Have Seen in Nearly 20 Years!

Posted on by Shawn E. Tuma

business-1989131_1920In the last quarter of 2017, I have observed a cybersecurity trend that has given me more hope than any that I have seen previously. Let me explain.

As an attorney, I have been practicing what can generally be described as cyber law or cybersecurity law since 1999, which means that my practice has evolved a lot over the years. It also means that I have seen a lot over the years.

My practice has been divided into three distinct areas over the last several years:

  1. Proactively, by helping clients assess and understand their overall cyber risk and then developing, implementing, and maturing a strategic cyber risk management program that prioritizes their efforts to help minimize their cyber risk.
  2. Reactively, by leading companies through the cyber incident response and data breach response process (e.g.,  as a “breach guide” or “breach quarterback”) and regulatory investigations and enforcement actions.
  3. Reactively, by representing clients in litigation involving cyber-related claims like data loss, data theft, computer hacking, and business to business disputes concerning responsibility for cyber incidents.

For nearly twenty years, the number of clients that have hired me to help in a reactive role, such as with incident response and litigation of cyber claims, has towered above those who have sought my help for proactively assessing their cyber risk and developing and implementing a cyber risk management program. It has not even been close.

This has not been due to a lack of effort on my part. I have always done my best to encourage clients to be responsible when it comes to cybersecurity by being proactive and focusing first on risk management and prevention but this has generally fallen on deaf ears. They did not want to be cyber responsible — or, even if they did want to be, they were not willing to invest resources into being cyber responsible.

But in the last quarter of 2017, this has changed.

The trend that I have observed developing over the last Quarter of 2017 is outstanding! For the last few months I have had substantially more clients hire our firm for helping them with a proactive cyber risk management program than we have ever seen in the past, so much so that the amount of work we are now doing on these programs is equal to or greater than the amount of work we are doing on incident response and litigation.

What makes this trend so great? The answer is simple: it shows that companies are finally starting to get it! They are finally seeing that it is better for them to invest resources into proactively preventing cyber incidents and data breaches from happening than it is to sit back and wait with the only strategy being to hope that it will not happen to them — because it will happen to them if they do nothing to stop it.

I hope that the trend that I am seeing is consistent across the industry. If it is, we just may be turning the corner in the war on cybercrime that is destroying our companies and decimating our individual privacy.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Complimentary Webinar: Countdown to #GDPR – Compliance for Non-EU Companies

Posted on by Shawn E. Tuma

Countdown to GDPR Compliance is a complimentary webinar that I will be moderating on Thursday, December 7, 2017, at 12:00 PM Central.  This is the second webinar in a three-part series sponsored by Mackrell International and will focus on Compliance for Non-EU Companies. You don’t want to miss it!

Moderator: Shawn Tuma
Presenter: Marta Stephanian, Ten Holter/Noordam
Presenter: Henrik Nilsson, Wesslau Söderqvist Advokatbyrå

 

COUNTDOWN TO GDPR COMPLIANCE: Compliance for Non-EU Companies
Sponsored by Mackrell International
Thursday, December 7, 2017 @ 12:00 PM CT
LINK for more information
Register via email: GDPR@hogefenton.com

GDPR Invite 2 11_21

I hope you are able to attend the webinars and find the information helpful in your business. As always, please let me know if you have any questions or if I can help you.

Shawn E. Tuma | Scheef & Stone, L.L.P.
Cybersecurity & Data Privacy Attorney
2600 Network Blvd., Suite 400, Frisco, TX 75034
214.472.2135 (direct) | 214.726.2808 (mobile)
Email: shawn.tuma@solidcounsel.com
Firm: www.solidcounsel.com
Blog: www.businesscyberrisk.com