Mark G. McCreary

Contact:Read more about Mark G. McCreary

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security. The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs. This post will focus on what a business should not do after a cyberattack. Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 6 of 6)

This blog post is the fifth entry of a six series discussing the best practices relating to cyber security. The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified. This post will discuss the individuals and organizations that should be notified once a cyberattack occurs. The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 5 of 6)

This blog post is the fourth entry of a seven-part series discussing the best practices relating to cyber security. The previous post discussed the initial steps that a business should take once a cyberattack has been identified. This post will discuss further steps that a business should take after an attack.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 4 of 6)

This blog post is the third installment of a seven-part series discussing the best practices relating to cyber security. The first two blog posts discussed the best practices for preparing a business in case of a cyberattack. This post will discuss the initial steps that a business should take after a cyberattack occurs.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 3 of 6)

This is the second installment in a seven-part discussion on the best practices to prevent a cyberattack. The first part discussed four critical steps to prepare a business in the case of a cyberattack. These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring. This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 2 of 6)

Cyber-attacks can impact any business regardless of size, sector, or level of cyber security. The best way to minimize damages from a cyber-attack is to plan ahead and prepare for a possible attack. Forward thinking can minimize damages and shorten the process of recovery from a cyber-attack. The following suggestions are important steps that every business should take to prepare for a cyber-attack.
Continue Reading The Anatomy of a Cyber Attack: Prevention, Response and Postmortem (Part 1 of 6)

As noted in Dittman et al. v. The University of Pittsburgh Medical Center, Case No. GD-14-003285, previously reported on here, Pennsylvania has firmly adopted the approach that the Risk of Harm is Not Enough in Data Breach Actions. Still, data breaches have become some of the most noteworthy headlines in recent news. An increase in litigation has brought with it efforts to shrink the case load through the Article III requirement of standing. This means that courts are finding that the plaintiffs have not sufficiently established a concrete injury in order to seek remedies from the court. One of the main issues with data breaches is that once the data has been extracted or accessed, it is not necessarily always true that tangible harm will follow. Due to that nature, the Third Circuit established that when it comes to data breach actions, simply the risk of future harm does not suffice to save the claim. The seminal case of Reilly v. Ceridian Corp. held that where no actual misuse is alleged, “allegations of hypothetical, future injury do not establish standing under Article III.” 664 F. 3d 38 at 41 (3rd Circuit 2011).
Continue Reading Pennsylvania Continues to Rely on Third Circuit Holding that the Risk of Harm is Not Enough in Data Breach Actions

With data breaches being the quickly trending “flavor of the month” criminal activity, it’s no shock that on June 4, 2015 yet another system was hit. This time though, it may be one of the largest cyberattacks in U.S. history—compromising as many as 4 million current and former federal employees’ information. The U.S. Office of Personnel Management (OPM) handles security clearances and background checks and although many would assume that its security is top-notch, the facts on the ground reveal that every place taking in sensitive information—including the government—must update its privacy infrastructure.
Continue Reading Even the Federal Government Can’t Hide: How a High-End Cyberattack Breached One of the Most “Protected” Systems

Cyberattacks are not reserved for science fiction or corporate America; they can also impact professional sports. An example of cybercrime is currently unfolding in Major League Baseball, where the St. Louis Cardinals are under investigation for cyberattacks. The F.B.I. and Justice Department prosecutors are investigating whether the Cardinals hacked into the Houston Astros’ computer systems to obtain confidential baseball data.
Continue Reading Cyberattacks and At Bats

More often than not companies are realizing that they have a consumer provide her information after she has previously opted-out of marketing. For example, a company collects contact information online, sends a consumer email marketing its services, and she opts-out of further email marketing by following the “opt-out” procedures in that email. Six months later the same consumer participates in a survey sponsored by the same company, the terms of which state that by participating in the survey the consumer consents to receive further marketing communications from the company. Is the company bound by the prior opt-out by the consumer, or does her participation in the survey under the rules permitting marketing override the original opt-out?
Continue Reading When a Consumer Gives Personal Information After Opting-Out