Morrison Mahoney  
Connecticut  >>  Massachusetts  >>  New Hampshire  >>  New Jersey  >>  New York  >>  Rhode Island  >>  United Kingdom

Cybersecurity, Data Protection and Privacy Newsletter

January 8, 2019
Happy New Year! Welcome to the Morrison Mahoney Cybersecurity, Data Protection and Privacy Newsletter. If you haven't already, please sign up to have future newsletters automatically sent to your inbox.  
  • MUST READ FOR HEALTHCARE ORGANIZATIONS!: On Friday, December 28, 2018, the Department of Health and Human Services (HHS) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication, consisting of four volumes which aim to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems. Although the practices are voluntary,  look for the HICP to set the standard for what will be considered “reasonable” cybersecurity practices for healthcare organizations. 

  • The Main HICP document examines cybersecurity threats and vulnerabilities that affect the healthcare industry, and explores (5) current threats and presents (10) practices to mitigate those threats. Technical Volume 1 discusses the ten Cybersecurity Practices along with Sub-Practices for small health care organizations, and Technical Volume 2 discusses those same issues for medium and large health care organizations. Finally, the HICP provides Resources and Templates for end uses to reference. We will be providing our healthcare clients and friends more insight into the HICP in the coming weeks. 

  • On January 1, 2019, Vermont's Data Broker Regulation, which is the country's first privacy law specifically targeting data brokers, became effective. The law requires state registration of any business that knowingly collects and sells or licenses to third parties the brokered (ie. categorized) personal information of a consumer with whom the business does not have a direct relationship. The Vermont Attorney General's Office has published very informative guidance on the new law which can be found here

  • New Year, New Breaches: Centerstone Insurance and Financial Services (doing business as BenefitMall), Humana, the Dental Center of Northwest Ohio, Blue Cross Blue Shield of Michigan and BlankMediaGames are among those that recently announced data breaches (some breaches occurred through third-party vendors). Marriott also announced that in the massive breach it suffered in November of last, hackers accessed approximately 5.25 million unencrypted passport numbers.

  • On New Year's Eve, the Dark Overlord hacker group announced that it breached a law firm representing Hiscox Syndicates Ltd., among others, in lawsuits related to the 9/11 attacks, and threatened to publicly release internal litigation and related files unless its ransom demands were met. The law firm reportedly paid the ransom, but also contacted law enforcement, which the Dark Overlord took umbrage to. So the group, instead of returning the documents, announced a  "tiered compensation plan" in which the public could make bitcoin payments to unlock the troves of documents. The very next day, the Dark Overlord said that it had received more than $12,000 in bitcoin which was enough to unlock "layer 1," consisting of 650 documents in total, which it did in fact release, and that the entire trove would be released to the public for $2 million. The group has also offered to sell the documents to terrorist groups, foreign governments, and the media. 
For more information on any of these stories please contact Daniel Marvin by clicking here. 
...that according to digital security firm Positive Technologies, billions of people were affected by data breaches and cyberattacks in 2018, -- 765 million affected in the months of April, May and June alone -- with losses surpassing tens of millions of dollars. In addition, cyberattacks increased 32 percent in the first three months of the year and 47 percent during the April-June period, compared to the same periods in 2017. Data breaches are getting bigger, more sophisticated, and things are likely to get worse. 

BONUS: DID YOU KNOW...that according to SplashData’s Top 100 Worst Passwords of 2018, "123456" and "password" claimed the top 2 spots (for the fifth straight year) of the most commonly used passwords on the internet. It would be wise not to use those, or any of the others in the top 100.  
Morrison Mahoney is a proud sponsor of the BSidesLI Information Security Conference taking place on January 26, 2019 at the New York Institute of Technology (NYIT). In addition to its sponsorship, Morrison Mahoney Partner Daniel Marvin will be speaking at the conference on the topic of Cybersecurity Regulatory & Compliance Issues. 
BSidesLI will be hosted by NYIT with assistance from the University’s College of Engineering & Computing Sciences and Entrepreneurship & Technology Innovation Center. More information can be found here
Experian Releases its Top Five Data Breach Trends/Predictions for 2019
By: Robert A. Stern
Last month, Experian issued its “Data Breach Industry Forecast 2019” report in which it set forth its top five predictions for the data breach industry this year. A copy of the free report can be downloaded here (registration may be required). While recognizing that organizations are generally more prepared to deal with cybersecurity threats, the report observes that cybercriminals adroitly adapt to the changing landscape in cybersecurity, creating a classic game of “cat and mouse.”
Indeed, even though the most recent study by the Ponemon Institute suggests that cyber-preparedness is at an all-time high, with 82% of responding organizations stating they have incident response plans in place, the cybersecurity measures implemented are increasingly stretched and challenged by more sophisticated threats. The latest example is the recent Marriott mega breach relating to its Starwood resort properties in which in excess of 383 million customer records were compromised, including passport information, with the latest reports suggesting that the attacks were orchestrated by an intelligence arm of the Chinese Government.
In an environment where the amount of valuable data electronically stored in the cloud, on IoT devices and maintained throughout all sectors of industry exponentially grows each year, the incentive to exploit vulnerabilities in information systems and technologies to further private pecuniary and state sponsored interests remains unrelenting. 
In its Data Breach Industry Forecast Report for 2019, Experian listed the following five data breach predictions or trends for 2019: 
  • Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition and passcodes.
  • The next frontier is an enterprise wide attack on a national network of a major financial institution, which can cause millions in losses
  • A major wireless carrier will be attacked with a simultaneous effect on both iPhones and Android, stealing personal information from millions of consumers and possibly disabling all wireless communications in the United States.
  • A top cloud vendor will suffer a breach, compromising the sensitive information of hundreds of Fortune 1000 companies.
  • The online gaming community will be an  emerging hacker surface, with cybercriminals posing as gamers and gaining access to the computers and personal data of trusting players
Mindful of the trends noted above, as well as other well-known threats that may be indigenous to their organizations and industries, it is important for organizations to monitor compliance with applicable laws and regulations, as well as to implement reasonable, if not best practices, relative to their risks and resources, to protect sensitive data from potential cybersecurity threats. 
Study Finds that Hospital Advertising Expenses Increase Substantially Following Data Breaches
By: Alex D'Amico
According to an article recently published in the American Journal of Managed Care, a hospital suffering a data breach spends, on average, 64% more on its annual advertising expenditures than control hospitals in the study. Two-year advertising was found to increase even further, to approximately 79%.
The study was conducted to ascertain the relationship between hospital data breaches and their advertising expenditures, and provides further evidence of a truth that has long been apparent—that data breaches are extraordinarily expensive. Indeed, as we have previously reported, IBM’s 2018 Cost of a Data Breach Study reported an average cost of $408 per lost or stolen record in the healthcare industry, nearly three times higher than the cross-industry average of $148. The study identified efforts to repair breached hospitals' image and minimize patient loss to competitors as potential drivers of the increased advertising spending.
The study noted that breached hospitals incur significant costs associated with fixing the breach and protecting affected individuals from further harm, and that investigation of a reported breach by the Department of Health and Human Services (HHS) usually takes about a year to complete. The investigation generally concludes with a settlement, including a penalty of hundreds of thousands of dollars and/or remedial action, which typically must be implemented within 2 to 3 years. Separate from HHS investigations, some breaches result in class-action lawsuits, and the advertising expenditures investigated for the study occurred subsequent to the breach disclosure and added to those expenses. 
Beyond all of the expenses associated with a data breach, organizations may also  face the possibility of declining revenue in connection with reputational harm caused by the breach.  In sum, organizations are well-advised to undertake strong cybersecurity measures and develop robust data management and incident response plans before a data incident occurs.  Failure to do so can be a very expensive mistake down the road.
Vermont Supreme Court Finds Insurance Exclusion Ambiguous In Connection With Phishing Claim
By: Jennifer Chan
A recent case out of Vermont demonstrates, once again, how ambiguities could arise when trying to fit modern cyber threats neatly into traditional insurance language. The facts are as follows: In Rainforest Chocolate LLC v. Sentinel Insurance Company, Ltd., an employee from Rainforest received an email purporting to be from his manager, directing the employee to transfer almost $20,000 into an outside account with an electronic funds transfer. The employee did as instructed. However, the employee did not know that his company had been victimized by a phishing scheme whereby­ an outsider gained control of his manager’s email account and sent that email. Rainforest froze its account as soon as it learned of the scam, and was able to limit its loss to just over $10,000.
Rainforest reported this loss to Sentinel, which had issued a business-owner policy to the company. Rainforest claimed coverage under a variety of provisions, but Sentinel denied coverage relying on the "False Pretense Exclusion" in its insurance policy. Under the False Pretense Exclusion, there was an exclusion for “physical loss or physical damage caused by or resulting from voluntarily parting with any property by you or anyone else to whom you have entrusted the property if induced to do so by any fraudulent scheme, trick, device or false pretense.”
The lower court denied Rainforest’s motion for summary judgment and entered judgment in favor of Sentinel. On appeal, the Court reviewed the insurance policy to determine whether the False Pretense Exclusion barred coverage for the loss experienced by Rainforest. Rainforest argued that even though it voluntarily parted with its money, electronic funds are intangible and therefore there was no “physical loss."
The Vermont Supreme Court agreed, adopting the interpretation of the same provision as did the District Court of Montana in September 2018, which concluded that the provision was ambiguous since the insurance policy made a distinction between “loss or damage” and “physical loss or damage.” Thus, whether or not the lost property was physical mattered, and the claimant did not suffer a physical loss since the transfer of funds were intangible. Due to the ambiguity, the Court interpreted the provision in Rainforest’s favor so that coverage was not barred by the False Pretense Exclusion. Although we may see less and less of these types of cases as the cyber insurance market matures, it is vitally important for all organizations to understand the coverage that they have with respect to cyber threats, and equally understand any gaps in coverage or issues that may arise in the event of a claim.     
Email us at
Learn more about our team by clicking on the images below.
Daniel Marvin, Robert Stern, John Knight
Michael Aylward, Christopher Martin and Anthony Abeln
Alex D'Amico and Jennifer Chan

This communication, which we believe may be of interest to our clients and friends is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments, and all copies. This may be considered attorney advertising in some jurisdictions. If you have any questions about the items above or Morrison Mahoney's Cybersecurity, Data and Privacy Protection practice, please feel free to contact Daniel Marvin at or Robert Stern at rstern@morrisonmahoney.comWith 180 attorneys and 10 offices throughout the Northeast, Morrison Mahoney LLP is one of the leading business and litigation firms in the region. We provide a wide array of legal services covering cybersecurity, litigation, transactional, appellate and insurance coverage practice areas. For more information about the firm, visit our web site at:
120 Broadway, Suite 1010 | New York, NY 10271
Phone: 212-825-1212 |
Manage your preferences | Opt out using TrueRemove®
Got this as a forward? Sign up to receive our future emails.
View this email online.
This email was sent to .
To continue receiving our emails, add us to your address book.
Subscribe to our email list.