data breach

Subscribe to data breach
News and Views Roundup
Cambridge Analytica suspension poses risk for Facebook.

Recent news that Facebook has suspended research firm Cambridge Analytica for improperly collecting users’ personal data without their knowledge may not constitute a classic “data breach,” but it poses real risks for the popular social media platform.

Fox Rothschild Partner Scott Vernick, founder of the firm’s Privacy & Data Security Practice, discussed the implications for Facebook, and the next steps the company should take, in an interview with the TD Ameritrade Network.

“Consumers do select companies and want to do business with companies that have control over their data and that can secure their data,” Scott said. “In turn, If you lose consumer confidence, you lose advertiser confidence, so that is the challenge for Facebook.”

View the full interview here.

Ransomware, data breaches, and emerging artificial intelligence — these are some of the cybersecurity trends that executives expect to spill into the coming year with some newer challenges, according to eWeek.

The 2017 data leaks, hacks and attacks that alarmed industries across sectors will only grow more common. Cybersecurity leaders say they expect businesses to continue to innovate practices that bolster their privacy and create consumer products that offer a more comprehensive package of protections against malware, credit theft and identity fraud.

Looking ahead to 2018, regulators are raising the bar for data protection standards for corporations. For example, the EU will enforce General Data Protection Regulations (GDPR), which obligate organizations to comply with specific security improvement practices and approaches. Smaller businesses are expected to leverage multifactor authentication systems for password-protected accounts.

Read more about 2018 cybersecurity trends.

Internet and technology
Estimated annual cybercrime tab hits $600 billion.

The Financial Times reports that many nonprofits are vulnerable to cyberattacks.

Many charities simply don’t want to invest time and money defending against hackers. A 2016 study found about half of nonprofits had not conducted a cyber risk assessment, and two thirds had no plans to increase spending on data security. But hackers don’t give nonprofits a pass. The article tells the story of a small, Indianapolis, Indiana-based cancer charity that lost all its client data in a ransomware attack.

“While it is not surprising that charities want to spend scarce resources on housing the homeless or feeding the hungry, some argue that those very services could be at risk if they fail to invest in cyber security tools and practices,” according to The Financial Times report.

Digital
No slowdown expected in HIPAA enforcement.

The Federal Trade Commission is investing nearly $3 million in technology to support an increasing need for e-discovery driven by massive data breaches such as the one disclosed recently by Equifax.

The news comes from the National Law Journal, which reports that the FTC awarded a one-year contract to Innovative Discovery LLC of Arlington, Virginia for a secure litigation support service. The agency awarded the contract without competitive bids because it “faces usual and compelling circumstances that require the immediate initiation of this pilot,” the Law Journal reported.

“The FTC is entering into an unprecedented year of investigations and litigation, including its investigation into the Equifax data breach and an usually high number of forensic data acquisitions in fraud cases,” agency officials wrote. The contract, they added, “is essential to enabling the FTC to successfully conduct investigations and litigation to stop consumer harm, thus enabling the agency to accomplish its mission.”

Data privacy and security

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

Username and password login fields, online security

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.

Cyber insurance
Copyright: putilich / 123RF Stock Photo

Venerable insurer Lloyd’s of London says a global cyber attack on a major provider of cloud services could carry costs of up to $53 billion, reports Data Breach Today.

That’s a hefty price tag that explains the rising demand for cyber insurance. It also sheds light on why insurers are proceeding extremely carefully. The costs of a major data breach can be significant and difficult to predict.

To help define the level of exposure, Lloyd’s worked with cyber consultant Cyence to produce a new report that outlines the direct economic costs of two types of global cyber attacks and estimates the portion of the loss in each scenario that would covered by insurance. In the case of a cloud services attack, only 17 percent of the loss would be insured, Lloyd’s estimates. In the case of a global attack exploiting a software vulnerability, only 7 percent of the estimated loss of up to $28 billion would be assured.

Analysts estimate the cyber insurance market is worth up to $3.5 billion today and could grow to $7.5 billion by 2020.

The September 2015 data breach at Experian exposed the personal information of nearly 15 million wireless carrier customers, and we are just now learning the cost.

Data privacy and securityA recent earnings report revealed the company has expended $20 million in its response to the breach, which exposed information including names, addresses, birthdates, social security numbers, driver’s license numbers, and passport numbers.

The data is used by Experian in the credit-check process and as part of its customer registration. The breach expenses stemmed from notification and credit monitoring for the affected individuals and is likely just the beginning of the company’s deepening woes. Several class action lawsuits were filed and there are government probes that Experian must cooperate with.

So far in 2015, security lapses have affected tens of millions of individuals. As in other high-profile breaches, Experian may ultimately find itself liable for tens of millions of dollars – even after insurance payouts – due to the part it played in leaking personally identifiable information to unauthorized third parties.

The sheer enormity of breach-related damages must also be consider in conjunction with the loss of both shareholder and customer confidence. These combined consequences underscore the need for companies to be exceedingly vigilant and proactive in matters of information security.

State insurance regulators are boosting cybersecurity-related efforts following recent high profile data breaches involving large, prominent insurers. Tens of millions of people have been affected by these breaches, which resulted in multi-state market conduct examinations looking at the cybersecurity aspects of the breaches as well as companies’ responses and the breaches’ financial impact.

Professional associations are also getting more active in privacy and data security. The National Association of Insurance Commissioners’ Cybersecurity Task Force recently weighed in with a list of 12 principles for effective cybersecurity risk regulation: “Principles of Effective Cybersecurity Insurance Regulatory Guidance.” The NAIC document addresses cybersecurity risks that affect all licensees including insurers, insurance producers and third party administrators.

In addition, lawmakers in Oregon, Rhode Island, Washington and Connecticut have enacted data security laws that require licensees to report data breaches, amend or address encryption or require implementation of a comprehensive information security program.

The attorneys of Fox Rothschild’s Insurance and Privacy & Data Security practices work together to help insurance companies create effective breach response plans, implement cybersecurity testing programs, monitor and comply with state and federal cybersecurity laws and incorporate cybersecurity issues in contracts and agreements.

For more information, please contact the author or your Fox Rothschild attorney.

 

The freedom from automated calls at random hours of the evening may seem like the true American dream these days as more and more companies rely on these calls to reach out and communicate with customers.  Unfortunately, now that the Federal Communications Commission (“FCC”) voted to expand the Telephone Consumer Protection Act (“TCPA”) to include stringent yet vague restrictions on telemarketing robocalls, it may not be a dream for everyone. 

In June of this year, in a 3-2 vote, the FCC voted on adding the rule to the TCPA that entails barring companies from using “autodialers” to dial consumers, disallowing more than one phone call to numbers that have been reassigned to different customers, and mandating a stop to calls under a customer’s wishes.  These restriction may seem reasonable but dissenting Commissioner, Ajit Pai, recognized that the rule’s broad language will create issues because it does not distinguish between legitimate businesses trying to reach their customers and unwanted telemarketers.  Some attorneys have further commented on the rule stating that its use of “autodialer” opens up a can of worms of interpretations and can really be viewed as any device with even the potential to randomly sequence numbers, including a smartphone.  Companies using even slightly modernized tactics to reach out to their customer base are now at risk of facing litigation—and it won’t stop there.  Businesses that legitimately need to reach out to their customers will be caught between a rock and a hard place as they face a one-call restriction now and may also open themselves up to litigation if a customer decides to take that route.

The FCC Chairman, Tom Wheeler, attempted to quash concerns by stating that “Legitimate businesses seeking to provide legitimate information will not have difficulties.”  This statement unfortunately won’t stop plaintiff’s attorneys from greasing their wheels to go after companies who even make “good faith efforts” to abide by the new rule.  Attorneys who defend businesses have recognized that the rule is ridden with issues that could potentially harm companies that simply do not have the mechanisms to fully control and restrict repeated calls or the technology that makes those calls.  But, long story short, just because this rule has been put in motion, does not mean it will stand as is. Litigation and court action will likely be a natural consequence and that may result in changes for the future.  For now, businesses that utilize automated phone calls should be wary of the technology used and attempt to at least keep track of numbers and phone calls made.  When in doubt, talk to an attorney to make sure you are taking the appropriate precautions.