Cybersecurity & Data Privacy Insights — Lindabury, McCormick, Estabrook & Cooper, P.C. Firm News & Events

Executive Order to Bolster New Jersey’s Cyber Security

Published on: June 6, 2017 | by Robert W. Anderson

On June 1, 2017, New Jersey Governor Chris Christie signed Executive Order 225 directing NJ’s Chief Technology Officer to set in motion actions to deliver a more secure, efficient, and reliable information technology platform and services across the Executive Branch.

Previously, each state department and agency oversaw its own information technology services, software and hardware integration. Under the new Executive Order, the Chief Technology Officer of the State of New Jersey is granted broad authority to oversee and integrate the hardware, software, and other information technologies used by departments and agencies within the Executive Branch. In speaking to the Chief Technology Officer at the signing of the Executive Order, Chris Christie stated:

“This is a big day in changing state government. To take away that authority and personnel from every one of the state departments and agencies and put it in your hands is a sea change in the way government is managed given how integral information technology is to the everyday operation of government. This is about a common-sense approach to taking us to a new level in terms of our information technology, and what we know is our customers, the 8.9 million people of the State of New Jersey are going to demand we do it.”

Cybersecurity: The legal response | NJBIZ

Published on: May 22, 2017 | by Eric B. Levine

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine spoke at the NJBIZ Cybersecurity conference on May 17th at the Raritan Valley Country Club in Bridgewater, explaining how companies can get hurt by doing the right thing when it comes to cybersecurity.

“To protect any small business, you need to have legal involved, if for no other reasons than to cloak what you are doing with privilege or confidentiality — by that, I mean communications with your attorney that nobody else can get to,” he said.

“Think about it,” he told the audience. ‘You hire (an expert) who comes in and does a vulnerability assessment and they find out you have a gaping hole in your security. That’s great. You fix it.

Forget About the Firewall: Employees are First Line of Defense Against Cyberattacks

Published on: May 15, 2017 | by Eric B. Levine

Eric Levine, Lindabury’s Cybersecurity and Data Privacy Group‘s Co-Chair was recently interviewed by NJBIZ’s Brett Johnson regarding a business’s first line of defense against a cyberattack. Levine says the approach exploits features inherent to human nature. “It’s preying on people’s inquisitive side,” Levine said. “And you can’t buy a firewall for that.”

“Yes, there are hackers who are out there who are trying to break through firewalls through different approaches, including state-sponsors actors, and there are many technologies to protect against that,” Levine said. “But it’s the social engineering — (stuff like) phishing scams — that capitalizes on mistakes people make that are the easiest tools to utilize.”

To read the full article as published online click here.

N.J. Cyber-Experts: Another Attack Is Coming — Here’s The No. 1 Thing To Do (And Not To Do)

Published on: May 15, 2017 | by Robert W. Anderson

Lindabury’s Bob Anderson, shareholder and co-chair of the Cybersecurity and Data Privacy Group, was interviewed by NJBIZ‘s Tom Bergeron in response to the worldwide ransomware attack over the weekend. Bob said the attacks last weekend were not a surprise at all to the people in the industry.

“It was just a matter of time before something like this happened,” he said. “We’ve seen ransomware attacks pick up at an incredible level the past few years. It was just going to happen at some point that somebody was going to launch something that was going to travel from computer to computer and spread to every country in the world.”

Lindabury will be represented at the NJBIZ Cybersecurity panel discussion on May 18th at Raritan Valley Country Club in Bridgewater, where the Cybersecurity and Data Privacy Group’s co-chair Eric Levine is participating as a panelist.

GOOGLE Docs Incident Provides a Real-Life Example of the Dangers of Phishing

Published on: May 9, 2017 | by Eric B. Levine

May 3, 2017 was a bad day for Google as a major phishing attack spread like internet wildfire, targeting users of Google docs. However, as bad as it was for Google, it provided us with a real-life example of how the first line of defense to a cyber-attack is none other than you and me. People, not breached firewalls or lack of encryption, are often the cause of a major cyber incident, but with a little diligence, we can present a formidable front-line defense.

What occurred on May 3, 2017 has been described as a widespread phishing scheme through which people received an email, apparently originating from a trusted source, that asked the recipient to open a Google document that was embedded within the email. If the recipient of the email opened the Google document, they would have granted the sender access to the recipient’s email account and contacts. Once the Google document read the recipient’s contacts, it in turn sent more phishing attempts to the recipient’s contacts. The cycle repeated itself rapidly, and Google estimated that the attack spread so quickly that at the peak of the attack, Google’s customer base saw about 150 messages sent per minute. It was estimated that the attack may have affected at least one million people.

Phishing is a form of social engineering that involves sending emails that appear to come from a trusted source or someone the recipient knows in an effort to obtain the computer credentials of the recipient of the email, to hack in the recipient’s private accounts and obtain their personal information or to infect the recipient’s computer systems. It is a common method of cyber-attack today and one, as Google can attest, that can quickly cause widespread havoc.

Cybersecurity Insurance Considerations For Small And Medium-Sized Businesses

Published on: April 13, 2017 | by Lindabury, McCormick, Estabrook & Cooper, P.C.

Cybersecurity experts have observed that hackers and cybercriminals are increasingly targeting small and medium-sized businesses and that these efforts account for 60% of all cyberattacks. One expert described these companies as the “soft underbelly” of cybersecurity. Companies of all sizes face potentially significant costs in responding to a data breach and losses including business disruption, lost revenue and loss of reputation. The average time to resolve a cyberattack has been estimated at 46 days and costs can increase if the damage is not resolved quickly.

Such expenses could be catastrophic for small or medium-sized businesses so it is important for such companies to understand the insurance implications and select the appropriate coverage to protect against losses from a cyberattack.

TRADITIONAL INSURANCE

Cybersecurity and the Importance of Attorney-Client Privilege

Published on: March 30, 2017 | by Robert W. Anderson

Businesses have a major need to assess their own cybersecurity risks, and to openly exchange internal information within the company to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation. A company’s good faith internal report of its cybersecurity weaknesses can potentially serve as almost an admission that it has found its cybersecurity protections for personal and confidential data to be inadequate.

Similarly it is of extreme importance that in the midst of dealing with a cyber breach event, that the company’s personnel freely exchange information related to the breach crisis situation quickly and without undue worries about how the disclosure of that information might look in a future litigation discovery proceeding.

The involvement of the company’s legal counsel in all important aspects of a cybersecurity risk assessment and breach response is crucial because of the protections that involvement can potentially provide the company under the doctrines of (i) attorney-client privilege, and (ii) work product protection.

Federal Data Privacy and Cybersecurity Laws

Published on: March 29, 2017 | by Robert W. Anderson

The United States does not currently have a single comprehensive federal law regulating data privacy and cybersecurity matters. Instead, there is a patchwork of laws which at times overlap, and in other cases may even potentially contradict one another. This patchwork, together with the growth in interstate and international data flow, heightens the risk of privacy violations and can create significant compliance challenges. Failure to meet these challenges, however, can result in government imposed civil and criminal sanctions (including fines and penalties), private lawsuits and class actions, as well as damage to a company’s reputation and customer trust.

The following is a brief summary of some of the most significant Federal legislation impacting data privacy and cybersecurity matters.

Federal Trade Commission Act (the “FTC Act”)

Customer Data, FTC Red Flags Rules and Your Business

Published on: March 29, 2017 | by Robert W. Anderson

Identity theft is an area of major concern for consumers and businesses alike. Roughly nine million individuals in the U.S. can expect to have their identity stolen each year. With just a few items of personal information (such as the name, social security number, and the date of birth of an individual) a cyber-criminal can potentially drain existing accounts or open new credit card accounts with devastating consequences for the unwitting consumer’s credit ratings and future path in life. If your business has been lax in protecting the privacy of such personal information in its possession, you may be inviting your own devastating consequences: lawsuits by individuals experiencing identity theft as a result of your lax procedures, regulatory enforcement actions, and damage to your business reputation and loss of trust by your customers.

The Red Flags Rule, issued by the Federal Trade Commission (“FTC”), requires financial institutions and creditors with covered accounts (as defined in the Red Flag Rule) to develop a written program that identifies and detects the relevant warning signs, or red flags, of identity theft.

Red flags can include, for example:

Responding to a Cybersecurity Breach – Establish Your Response Team

Published on: March 24, 2017 | by Eric B. Levine

It is a day that virtually every business owner fears, when you receive word from your IT department that your company’s computer system has been hacked. A million thoughts rush through your head, but they all come back to one question: what do I do right now to protect my company, my employees and my customers? The answer may seem daunting, but an answer does exist. This article attempts to provide you with a few of the basics on how to respond to a cyber-attack, focusing on the first step: Establishing your cyber-response team.

The first step to be taken upon learning of a cyber-breach is to understand what happened and what type of breach occurred. For example, is your system being held hostage by Ransomware, or did an employee mistakenly release confidential information? There are a number of common circumstances for cyber-breaches, such as: employee negligence like losing a laptop or flash drive containing personally identifiable information (“PII”) or protected health information (“PHI”); malicious insider behavior, such as the disgruntled or dishonest employee who steals company information to use for some nefarious purpose against the company; and perhaps the most wildly publicized breach as of late, hacking and cybercriminal activity.

In order to understand what happened and how best to react, the initial step is to assemble a team of cybersecurity professionals who can assist with all facets of the cyber-breach. In a perfect world, your company has already established its own cyber-breach response team, but if you have not done so, you will need to hire professionals as soon as possible after learning of the cyber-attack. This means engaging individuals who possess expertise in Information Technology and are experienced in evaluating the severity and scope of a cyber-breach. The cyber-breach needs to be quickly identified, affected systems need to be isolated, defenses to future breaches need to be put in place and steps to retrieve data need to be taken.