In the age of the data breach, lawyers and law firms have a lot in common with comic book superheroes: they are locked in a relentless battle against a cunning, ever-changing threat. This past week, Foley & Lardner experienced a “cyber event,” adding its name to the list of cyber attack victims which, according to Bloomberg Law, includes DLA Piper, Cravath, Swaine & Moore, Weil, Gotshal & Manges, over one third of small and medium-sized firms, and just under one quarter of large firms. Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches. Continue Reading The ABA Says Lawyers Have Obligations Before and After a Data Breach

More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach.  Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

After a data breach at VTech revealed practices that allegedly violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA), VTech settled for $650,000 and agreed to implement a comprehensive data security program subject to audit for the next 20 years.  VTech makes children’s electronic learning products.  The FTC complaint alleged that VTech’s privacy policy promised that it would encrypt most transmitted information but it did not.  Further, the FTC claimed that VTech failed to comply with COPPA rules regarding the protection of information of children under 13.  This settlement illustrates that the FTC is not letting businesses off the hook for lax information security programs and highlights the importance of accurate privacy policies.  Know what rules apply to your business and be sure that the promises you make to your customers with respect to privacy are accurate.  More information on the FTC settlement can be found here.

In the first week of the New Year, we learned that most computer processor chips sold over the past 10 years are vulnerable to side-channel attacks.  These vulnerabilities, dubbed Spectre and Meltdown, could grant a hacker access to sensitive information, such as passwords and other personal information.  Unlike software vulnerabilities seen in the likes of the WannaCry attacks, according to the US Computer Emergency Readiness Team (US-CERT), Spectre and Meltdown may require more than patches for protection since the vulnerability is in the chip itself.  In the short term, however, installing patches or updates may still be the best bet.  Chip manufactures are working to push out updates.  US-CERT warns that the updates may diminish performance by up to 30% and recommends close performance monitoring.   See the US-CERT page for information on patch availability and recommendations.  In addition to patching, companies should monitor systems closely for suspicious activity and data leaks and should immediately implement the company incident response plan if there are any signs or indications that data has been improperly accesses or removed.

W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training.  Continue Reading ‘Tis the Season: W-2 Phishing Scams Likely to Resurface After the New Year

According to Reuters, late on Friday, the Department of Homeland Security (“DHS”) and the FBI issued a warning in a report, sent to firms at risk of an attack, that critical infrastructure industries may have been targeted in cyber-attacks as far back as May. The identified industries include nuclear, energy, aviation, water, critical manufacturing industries and government entities. The report indicates that hackers successfully compromised data at some of these targets. Further, the government believes that the attacks are ongoing. Continue Reading Feds Warn of Critical Infrastructure Attacks as CT Releases Report on Utility Company Cyber-Readiness