Cybersecurity & Data Privacy Insights — Lindabury, McCormick, Estabrook & Cooper, P.C. Firm News & Events

How Cybersecurity Training Protects Your Organization Even After a Breach

Published on: December 18, 2018 | by Eric B. Levine

Eric Levine and Robert Anderson co-authored the recently published article in Training Industry addressing the need of businesses to assess their own cybersecurity risks and openly exchange internal information to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation.

Read the full article online here.

Training Industry, Inc. (Dec. 18, 2018). How Cybersecurity Training Protects Your Organization Even After a Breach.

Protecting Employee Data From a Human Resources Perspective

Published on: October 12, 2018 | by Eric B. Levine

Originally published in the October 2018 issue of HR News.

Combatting cyber-threats and protecting data is not only the job of an IT department. Human resource professionals play a critical role in safeguarding personally identifiable information as well. Indeed, if there is one area in every company that has in its possession a literal treasure trove of sensitive information, it is Human Resource. Who else has access to employees’ names, addresses, dates of birth, social security numbers, bank account information (for direct depositing of paychecks), health and medical information (originating form health insurance applications, flex plan reimbursement materials) and financial information, especially if your company has a self-directed 401K plan and contributions are automatically deducted from payroll. Needless to say, a data breach implicating your Human Resources department could be devastating. So what can you as a human resource professional do to assist in maintaining the integrity of your company’s data? Plenty.

Collaborate with IT and Legal departments:

Hiding in Plain Sight – Techniques to Defend Against Insider Attacks

Published on: July 11, 2018 | by Eric B. Levine

Eric Levine, Lindabury’s Cybersecurity & Data Privacy Group Co-Chair provided insight to SC Media for their recent white paper, Hiding in Plain Sight. Eric suggests that an organization consider and understand what types of data might be vulnerable to attack in order to understand the implications of responding to unauthorized accesses of that information.

You can download a copy of the white paper here.

Protecting Privilege Before and After a Cyber Breach

Published on: June 8, 2018 | by Robert W. Anderson and Eric B. Levine

If you are not already thinking about cybersecurity for your company or firm, you should be. Regardless of your organization’s size or industry, cyber crime is probably the greatest threat to your bottom line today.

One of the most important things a company/firm can do is to regularly conduct an investigation to understand what its cybersecurity defense weaknesses and vulnerabilities may be. The results of such an investigation most likely will produce a lengthy list of potential problem areas that in an ideal world should all be promptly and exhaustively remedied. Many times, this remedial approach is not feasible as most companies have budgetary and other practical limitations that may require them to prioritize which vulnerabilities to address first, and the degree of remediation of each such vulnerability that can reasonably be undertaken at a given time.

Unfortunately, another problem with this scenario is that the company or firm will end up with a written report identifying all variety of cybersecurity weaknesses, and then a set of actions that address some — but not all — of those weaknesses. If, at a later date, the organization experiences a cyber breach incident, this written report is likely to become Exhibit A of any plaintiff action against the company over that breach. The report, after all, shows that the company or firm clearly knew about certain vulnerabilities and chose not to remedy several of them.

NJBIZ: Vendor Vexation: Third-Party Providers Can Open Door to Hackers

Published on: May 9, 2018 | by Eric B. Levine

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine was recently interviewed by NJBIZ regarding the recent security lapse of a South Jersey physicians network which wiped out the password protection on a supposedly secure site.

Eric says, “A company that engages in thorough due diligence may be able to use that as a defense if it’s sued as a result of a third-party provider hack.”

“It’s important to deal with cybersecurity and other issues up front, especially when you’re dealing with a new vendor,” Levine said. “Consider the depth of access to your data that they need, too. If a firm is just providing you with paper products, they don’t need deep access to your data, so a cybersecurity audit may not be very important.

EU Has Figured Out Privacy, Why Can’t We?

Published on: April 17, 2018 | by Robert W. Anderson

Robert Anderson, Co-Chair of Lindabury’s Cybersecurity & Data Privacy practice group was recently interviewed by ROI-NJ’s Tom Bergeron in regards to the European Union’s May 25th institution of the General Data Protection Regulation (GDPR). Bob feels GDPR will have a huge impact in Europe where there is a different view of privacy. “In the EU, they have taken the position that privacy is a fundamental human right and we certainly have not taken that position in the U.S., especially in terms of digital information.”

To read ROI-NJ’s full online article click here.

The Digital Landscape Evolves

Published on: April 10, 2018 | by Robert W. Anderson

Cybersecurity & Data Privacy practice group co-chair, Robert Anderson’s recent interview has been included in New Jersey Business Magazine’s recent cover story ” The Digital Landscape Evolves”. Regarding employees who work remotely, who may now pose a risk to their companies Bob says, ” I think everybody, every company, realistically, withing the constraints of what they can reasonably do, should devote significant attention to these kinds of remote access liability issues.” Bob will be among a panel of Cybersecurity professionals at NJBIA’s upcoming “The Internet of Things – Transforming Your Business” Summit on April 20th in Newark, NJ.

To read the full article click here.

Many Employees Know Little About Cybersecurity Threats

Published on: March 22, 2018 | by Robert W. Anderson

Bob Anderson, co-chair of Lindabury’s Cybersecurity and Data Privacy practice group, was recently interviewed by Karen Talley of FierceCEO, a publication that is considered a must-read source for running a business. Bob reports to Ms. Talley that “there is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability” and that “most cyberbreaches are caused by employees, inadvertently.”

To read the full article online click here.

ROI-NJ’s Cybersecurity Interview with Eric Levine

Published on: February 14, 2018 | by Eric B. Levine

Eric Levine, Co-Chair of Lindabury’s Cybersecurity & Data Privacy practice group was recently interviewed regarding the constant threat of cyberattack facing companies today. Eric says, “No matter how big or small your business, cybersecurity affects you. Companies need to anticipate that they will be a victim at some point, if they are not already. There are two types of companies out there: those that have been breached and those that have but just don’t know it.”

To read the full interview click here.

An Uber Nightmare: Lessons from Another Botched Response to a Cyber Attack

Published on: November 27, 2017 | by Eric B. Levine

Over the past several months, our firm’s Cybersecurity and Data Privacy Practice team has had ample opportunity to report on a number of high profile security and data breaches. It appears that trend is going to continue as another massive cyber-breach was just reported. This time, it was Uber that had its network breached, and that breach impacted 57 million users of the ride sharing service, as well as 600,000 Uber drivers. Although paling in comparison to other recent breaches like that of Equifax and Yahoo in terms of the quantity of individuals whose data was stolen, the Uber breach is equally important in developing your own awareness of how to respond to data breaches, Uber provides another example of what not to do when a data breach occurs. Uber’s mistakes are numerous and could have long-lasting consequences. Here are a few of those mistakes, followed with some advice on how to avoid them.

Mistake #1: Uber fails to notify victims of the breach: Uber reported that its network was compromised in late 2016, yet Uber did not alert victims of the breach until November 21, 2017. The scope of the breach is apparently international, with data protection agencies in the United Kingdom, Australia and the Philippines looking into possible violations of their respective countries’ privacy laws. In the United States alone, there are forty-eight different state laws governing security breach notifications, many of which require notice to be provided as soon as possible. Waiting almost a year before providing notice to individuals whose information is unlawfully accessed likely exposes Uber to liability in a multitude of states and countries in which Uber can expect to be, and has already been sued. As of November 23, 2017, at least two class action lawsuits have been filed in California claiming that Uber “failed to implement and maintain a responsible security procedures and practices appropriate to the nature and scope of the information compromised in its data breach”. Attorneys General from Illinois, New York, Connecticut and Massachusetts have been reported as opening investigations and it is a practical certainty that dozens of their colleagues will soon follow their lead.

Mistake #2: Uber fails to notify governmental authorities of the breach: To make matters worse, in addition to not notifying individual victims of the data breach, Uber did not provide timely notice to governmental agencies until recently. In doing, Uber has potentially exposed itself to regulatory penalties, including fines and potential lawsuits, as well as likely having to appear at state and federal level inquiries, either voluntarily or through the use of subpoenas. Unfortunately for Uber, its explanation as to why it failed to notify the proper authorities is going to be aired to the public, likely in real time.