Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

November 6, 2018
Welcome to the Morrison Mahoney Cybersecurity, Data Protection and Privacy Newsletter. If you haven't already, please sign up to have future newsletters automatically sent to your inbox.  
IN CASE YOU MISSED IT...
  • "You've got an uphill battle" are words that no attorney wants to hear from a judge. But that's just what U.S. Circuit Judge David Tatel of the D.C. Circuit said to government attorneys seeking to have the Court affirm the dismissal of two consolidated lawsuits in which unions representing federal employees sued the U.S. Office of Personnel Management (“OPM”) in connection with two related cybersecurity breaches disclosed by OPM in 2015 (we wrote about the dismissals here). The District Court had held that none of the plaintiffs in either case had standing because they could not show that the data breach which exposed their personal information put them at greater risk of future harm. Expect the matters to be remanded. You can read more about the appellate argument here
  • The New Jersey State Police announced that it received 958 reports of data breaches in 2017, representing a 42 percent increase over the prior year. And in Washington State’s third annual data breach report, state Attorney General Bob Ferguson announced that 3.4 million residents were the victims of data breaches between July 2017 and July 2018 (a 26% increase compared to 2017 and more than 700% compared to 2016), and that the numbers keeps rising. These increases represent the norm nationwide, not the exception.

  • Last Week, Sen. Ron Wyden ( D-Ore.) released a discussion draft of sweeping new legislation that he hopes would empower consumers to control their personal information, create radical transparency into how corporations use and share their data, and impose harsh fines and prison terms for executives at corporations that misuse Americans’ data. You can read the draft here. 

  • According to a recent study by The Ponemon Institute and IBM, the healthcare industry took an [unacceptably long!] average of 350 days to identify and contain a data breach. That length of time was second only to the entertainment industry. The global study, entitled "The 2018 Cost of Data Breach Study: Impact of Business Continuity Management," explores the impact of proactive data recovery planning on the cost and frequency of data breaches, both of which have been shown to decrease by more than 30 percent in organizations that embrace proactive recovery programs. Overall, the study shows a distinct competitive advantage in financial results, operational efficiency, and corporate reputation for organizations that deploy automated disaster recovery to maintain business continuity following a data breach.

  • While we're on the topic of studies, according to a recent report from global management consulting firm A.T. Kearny, C-level executives rank cybersecurity as the no. 1 challenge they face for the third consecutive year, yet only 39% of the 400 executives and board members surveyed said their company has fully developed and implemented a cyber defense strategy. Only 39%!
  • One more study of note: the eighth annual Information Security and Cyber Risk Management survey from Zurich North America and Advisen Ltd. was recently released. The study revealed a growing reliance on insurance by organizations seeking to manage evolving cyber risks, with a 10 percentage point uptick in the purchase of cyber insurance from 2017, either as stand-alone policies or by endorsement, representing the largest year-over-year increase since the first Advisen survey. The study also noted a significant disparity between large and middle-market companies, with large companies 20 percent more likely to have altered their cybersecurity program in the past year due to the evolving threat landscape,and large companies expressing a higher degree of concern about business continuity risks, even though middle market companies have been more frequently impacted by business interruption losses.

  • Thanks in no small part to the GDPR,the average fine imposed by the U.K.'s Information Commissioner’s Office on businesses who failed to protect data from cyber and other breaches DOUBLED since last year. We can expect more of the same going forward.  

    For more information on any of these stories please contact                                 Daniel Marvin by clicking here. 
DID YOU KNOW...
...that Phishing is the most common type of outsider attack that leads to cybersecurity breaches, and that 87% of global executives view untrained staff as the greatest cyber risk to their business? We have repeatedly emphasized the importance of cybersecurity training, and encourage you to let those in your organization know that according to KnowBe4, the most Common phishing email subjects in Q3 2018 included:
  1. You have a new encrypted message
  2. IT: Syncing Error - Returned incoming messages
  3. HR: Contact information
  4. FedEx: Sorry we missed you.
  5. Microsoft: Multiple log in attempts
  6. IT: IMPORTANT – NEW SERVER BACKUP
  7. Wells Fargo: Irregular Activities Detected On Your Credit Card
  8. LinkedIn: Your account is at risk!
  9. Microsoft/Office 365: [Reminder]: your secured message
  10. Coinbase: Your cryptocurrency wallet: Two-factor settings changed
For information on Morrsion Mahoney's C-Suite and Employee Cybersecurity Training programs for organizations of all sizes, please email us at cybersecurity@morrisonmahoney.com.  
Study Demonstrates Competing Interests in Consumers’ Attitudes to Protecting their Online Data
By: Robert A. Stern 
We have previously noted (here and here) the anomaly between the public’s yearning for data privacy and the anecdotal evidence that suggests that many individuals do not implement basic practices that could safeguard their personal and sensitive information. Indeed, another study confirming the foregoing was recently released by BestVPN.com, entitled The State of Online Privacy (registration may be required), which found that while 87.5 percent of consumers surveyed indicated they were concerned with online privacy, paradoxically, 46 percent stated they had not availed themselves to some of the most basic data protection steps, such as adjusting their privacy settings on social media to protect their personal information.
 Similarly reflecting conflicting attitudes, 45 percent of surveyed consumers indicated that they are uncomfortable using platforms that track, use and potentially sell their personal data, while 62% believed it was illegal for internet service providers to collect and sell their personal data without their consent. Moreover, notwithstanding that 87.5 percent of those surveyed expressed concern for online privacy, only 48 percent stated they had checked to see if their data had been compromised. The tension between a strong desire to protect personal data and having immediate access to their favorite websites and apps is underscored by a finding by Norton that 57 percent of Americans wait just a few minutes when in a public space that offers unsecure Wi-Fi before connecting. Notwithstanding that unsecure Wi-Fi hotspots are known to be among the easiest to spoof, track and acquire personal data from users, consumers regularly ignore the warning signs and risk in exchange for the convenience of being able to go online. 
Moreover, while multi-factor authentication would provide an additional layer of protection against hackers, as would using a password manager, the survey found only 41 percent of consumers enabled two-factor authentication to access email, social media and bank accounts. 
The BestVPN study is consistent with other reports that have found consumers confused about what organizations can do with their data and what role they play in protecting it. Notwithstanding the widespread reporting of mega data breaches, it is clear that more focus on public awareness and education as it relates to privacy settings, security tools and easy-to-implement practices they can implement to take an active part in the protection of their data is needed. While organizations will continue to be subject to legal requirements to protect and safeguard data, consumers will need to be cognizant, through education and the media, that they, too, must join the fight against the unlawful acquisition of their data by hackers. 
International Shipbuilder’s Data Breach Demonstrates the Importance of Network Segmentation
By: Alex D'Amico
On November 1, 2018, the Australian Associated Press reported that Australian shipbuilder and defense contractor Austal was the victim of a data breach and extortion attempt.  The data theft reportedly involved unclassified ship design drawings as well as staff email addresses and phone numbers.  Austal, which has defense contracts with multiple nations, including the United States, stated that there is no evidence that classified or sensitive information has been compromised.  The ship design drawings that were stolen in the breach were purportedly intended for distribution to customers and sub-contractors or suppliers.  Therefore, they did not contain confidential information.
Data relating to Austal’s work in connection with the US Navy is purportedly maintained on a separate network from the Australian network that was hacked.  Accordingly, the hacker that infiltrated Austal’s Australian systems would have been unable to access classified information regarding Austal’s US projects without further infiltrating the segmented US portion of Austal’s network.  The cybersecurity strategy of dividing a large computer network into smaller subnetworks is called network segmentation.  Network segmentation can protect an organization from cyber threats in multiple ways, including: a) creating additional layers of protection for the organization’s most sensitive information; b) reducing the risk of an accidental breach due to employee or independent contractor negligence; and c) limiting the scope of a breach by containing the hacker’s unauthorized access.
An organization should develop a network design and cybersecurity strategy that account for applicable laws and regulations, industry best practices, and the needs of the organization.  Austal’s defense work necessarily involves classified information, warranting numerous cybersecurity measures, including network segmentation.  In this case, it appears that network segmentation played a role in protecting sensitive US defense information from the breach.  
LinkedIn
Department of Health and Human Services Says FDA Not Doing Enough to Address Medical Device Cybersecurity
By: Daniel S. Marvin 
We previously reported on the growing problem of cyber risks associated with medical devices (For example, "The Heart of the Matter: Pacemakers and Cybersecurity" ). While device manufacturers and end-users often rely on the Food and Drug Administration (FDA) for guidance and resouces to deal with those risks, the FDA's preparedness was recently called into question by the United State's Health & Human Services Dept.’s inspector general (OIG).  As a result of an audit, the OIG found that while the FDA had plans and processes for addressing certain medical device problems in the postmarket phase, those plans and processes were deficient for addressing medical device cybersecurity compromises. Specifically, the OIG found  that the FDA's policies and procedures were insufficient for handling postmarket medical device cybersecurity events; the FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, the FDA had not established written standard operating procedures to address recalls of medical devices. 
As a result of the audit, the OIG recommend that the FDA do the following: (1) continually assess the cybersecurity risks to medical devices and update, as appropriate, its plans and strategies; (2) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders who have a “need to know”; (3) enter into a formal agreement with Federal agency partners, namely the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, establishing roles and responsibilities as well as the support those agencies will provide to further the FDA's mission related to medical device cybersecurity; and (4) ensure the establishment and maintenance of procedures for handling recalls of medical devices vulnerable to cybersecurity threats. 
In response to the audit, the FDA agreed with the OIG’s recommendations and said it had already implemented many of them during the audit and would continue working to implement the recommendations in the report. However, the FDA unsurprisingly disagreed with OIG’s conclusions that it had not assessed medical device cybersecurity at an enterprise or component level and that its preexisting policies and procedures were insufficient. 

At the end of the day, from a risk mitigation standpoint, it is essential for device manufactures and other stakeholders to ensure that their own cybersecurity policies and procedures are up-to-date and adequate. While the FDA can be looked to for guidance, there is no substitute for being your own best advocate. 

Email us at cybersecurity@morrisonmahoney.com
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Christopher Martin and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at dmarvin@morrisonmahoney.com or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at: www.morrisonmahoney.com.
120 Broadway, Suite 1010 | New York, NY 10271
Phone: 212-825-1212 | www.morrisonmahoney.com
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.
This email was sent to clapointe@morrisonmahoney.com.
To continue receiving our emails, add us to your address book.