Banking Trojans and Financial Risk

A Q&A with Sherri Davidoff, CEO of LMG Security and BrightWise, Inc.
One of the most disturbing developments in financial cybercrime is the advent and increasing popularity of banking Trojans, which pose a grave risk to both consumers and financial organizations. To find out more about banking Trojans and how to avoid them, we spoke to Sherri Davidoff, cybersecurity expert, author, speaker and CEO of both LMG Security and BrightWise, Inc.

Continue Reading

Ransomware Negotiations

A Q&A with Bill Siegel of Coveware
Given the prevalence and sophistication of ransomware—not to mention the financial stakes involved in these exploits—it’s no longer wise to leave delicate negotiations to internal staff. We spoke to Coveware’s CEO and cofounder Bill Siegel about the nuances involved in handling threat actors and why having data at the ready can better inform a company’s decision-making.

Continue Reading

Catastrophic Ransomware

A Q&A with Chris Nyhuis of Vigilant Technology Solutions
Cyber security threats are always evolving, but in the last six months, a vicious new breed of ransomware attack has emerged, powerful enough to take down an enterprise organization. To learn more about it, we talked to Chris Nyhuis, President and CEO of Vigilant Technology Solutions, an international security and total IT solution provider.

Continue Reading

Business Email Compromises in Office 365

A Q&A with Chris Salsberry of Crypsis
One of the most prominent cyber threats affecting companies right now is business email compromise (BEC). These attacks typically begin with phishing emails that capture log-in credentials.The widely used cloud-based Microsoft Office 365 has proven especially vulnerable, with millions of dollars lost in fraudulent wire transfers over the past couple of years. We talked to The Crypsis Group’s senior director Chris Salsberry about this attack vector and how companies can avoid being compromised.

Continue Reading

Medical Devices and Data Risk

A Q&A with Paul Otto of Hogan Lovells
Given recent events such as the 2017 WannaCry ransomware attack that affected more than 200,000 computers across 150 countries, concerns about data privacy and medical devices have come to the fore with increased scrutiny from regulators. To understand the risks medical devices pose and how companies are responding, we spoke to Paul Otto, senior associate of Hogan Lovells in Washington, DC.

Continue Reading

The California Consumer Privacy Act and the Future of Privacy Law in the US

A Q&A with Jon Neiditz of Kilpatrick Townsend & Stockton LLP

Passed in 2018 and slated to go into effect January 2020, AB 375 or The California Consumer Privacy Act (CCPA) was created to give consumers better ownership and control over their personal data but opens up a world of compliance questions for businesses that sell such data. We spoke with Jon Neiditz, who co-leads the Cybersecurity, Privacy and Data Governance practice at Kilpatrick Townsend and Stockton LLP about the Act and its implications for the future of privacy regulation.

Continue Reading

NetDiligence Security & Privacy Advisory – California Consumer Privacy Act

NetDiligence® Security/Privacy Advisory – June 28th, 2018
California Consumer Privacy Act (2018) Becomes Law; Takes Effect 1/1/2020

This NetDiligence Security/Privacy Advisory is published for the benefit of our cyber insurance carrier/broker clients and their insureds. We urge clients to take special note of the details included in this Advisory and take preventative/remedial action on a timely basis. Clients are welcomed to distribute this Advisory to their colleagues and others as they see fit, provided it is distributed without modification of its contents.

Today, June 28th, 2018, marks a turning point in consumer data privacy protection in the United States, as California enacts the strongest such law in the country, giving consumers greater rights to restrict how private businesses collect and share/sell their personally identifiable information with third parties.

Continue Reading

NetDiligence® Security Advisory – KRACK Wi-Fi Exploit

NetDiligence® Security Advisory – October 17th, 2017

KRACK WPA2 Wi-Fi Exploit Status and Protection Tips

This NetDiligence Security Advisory is published for the benefit of our cyber insurance carrier/broker clients and their insureds. We urge clients to take special note of the details included in this Advisory and take preventative/remedial action on a timely basis. Clients are welcomed to distribute this Advisory to their colleagues and others as they see fit, provided it is distributed without modification of its contents.

Continue Reading

Closing the Gaps: Healthcare Organizations, Third Parties and Data Security Risk

A Q&A with Antony Kim and John Wolfe of Orrick, Herrington and Sutcliffe
The recent HIPAA breach at St. Elizabeth’s Medical Center in Brighton, MA, brought some key issues to light. With the continual outsourcing of healthcare sector computing for ePHI data to external third-party clouds, it’s becoming increasing vital that the covered entity (CE) and/or business associate (BA) has a good handle on their cloud provider’s actual operational and data security practices. I talked to Antony Kim and John Wolfe of Orrick, Herrington and Sutcliffe about vigilance in the face of this vulnerability.

Continue Reading

Data Collection Liability and Trends

A Q&A with Dominique Shelton
The area of mobile app customer data collection is fraught with heightened regulatory interest. In the past 18 months, industry leaders have come together to create the Best Practices in Mobile Data Collection guidance while the California Attorney General released “Privacy on the Go.” To get a better handle on the issue of mobile app data collection, I spoke with Dominique Shelton of Edwards Wildman Palmer, LLP in Los Angeles, CA.

Can you provide an example of a business being sued for wrongful data collection?
It is important to keep in mind that data collection has been challenged by plaintiffs and regulatory agencies when an argument can be raised that the consumers did not understand that their data was being collected. The focus of the FTC and certain regulators like the California Attorney General has been on compliance with “privacy by design.” This means giving consumers sufficient notice and the choice to make meaningful decisions about their data and how it’s used. Currently, there are over 176 class actions pending around the country, based on behavioral advertising or tracking information to create customized products or targeted advertising. One recent example is the case the California Attorney General brought against Delta Airlines for not posting a mobile privacy disclosure. We have also seen class actions filed against a major studio and search engine in December, challenging mobile apps that allegedly collect behavioral information from users under the age of 13. So in this environment it’s very important for companies to take a look at this issue.

What types of data can get businesses into trouble?
Certainly, any personally identifiable information, such as name, address, phone numbers or email that may be collected without disclosure. And now we’re starting to see risk around behavioral data that identifies the user’s mobile device or social networking ID associated with their Facebook profile, for instance. Those identifiers are considered personally identifiable information by regulators. The CA AG recently issued the “Privacy on the Go” report, in which personally identifiable information is defined as “any data linked to a person or persistently linked to a mobile device—data that can identify a person via personal information or a device via a unique identifier.” Also, the FTC is moving towards a definition of personal information that includes any data “reasonably linkable” to an individual based upon the comments of users that unique identifiers can be linked to other information to identify users personally. Of course, we are also seeing financial and health data as an area of interest and this is considered “sensitive” information as well.

Are there any states with stricter laws that increase liability?
No. California doesn’t have a law yet. There is a Do Not Track bill pending but it hasn’t gone through to a full vote. In the context of class actions, most have been filed using older statutes such as the Electronic Privacy Act and the Computer Abuse Act, claiming that tracking violates those statutes. Although there is not a distinct Do Not Track bill, it is important to know that this issue is getting greater attention by regulators and this in and of itself may create a new standard. For example, “Privacy on the Go” does create a de facto new standard for the country by recommending security, encryption and protection standards for unique identifiers and behavioral data that was previously considered by many companies to be non-personally identifiable information, not subject to enforcement. Further, the class actions that have been brought based upon the creation of ad profiles from the users’ online behavior also acts as a check for how companies should consider compliance. Further, the SEC October 2011 guidance calling for disclosure of all material cyber risks by public companies is useful.

What can a business do to mitigate their risk?
First, take a look at online disclosure and mobile disclosure policies. Supplemental notice is ideal. Make sure that someone in the company is responsible for privacy compliance—it could be the chief privacy officer or someone in the legal department or product development. They should be in touch with self-regulatory groups that have promulgated guidelines to address these issues. At a minimum, the company should be in step with its peers in addition to focusing on the latest guidance materials and which activities will attract the attention of regulators. There needs to be a dialogue between the privacy group and product development and marketing so that when new products are rolled out they can vet their use of customer information and make sure they are up to date on their legal obligations. Also, conducting annual trainings on privacy practices is a good idea and recommended by the CA AG.

In summary…
Ms. Shelton has provided an excellent summary on some emerging ‘big data’ issues that impact organizations that collect and use private information without adhering to reasonable privacy principles. Dominique mentions the Delta Airline case, which could serve as a bellwether case for mobile apps that are deployed without much regard for privacy policy/principles (i.e., customer notice and consent to the use of their personal information). Delta is facing a massive California AG penalty of $2500 per download (reportedly, Delta had a million downloads). One might argue what Delta did with its mobile app is a common practice, one that needs to be ceased immediately.

No more posts.