On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach. Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . . that reasonably conforms to an industry recognized cybersecurity framework.” Acceptable standards include the NIST framework and compliance with PCI requirements. For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection. Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.
The Department of Homeland Security (“DHS”) released its cybersecurity strategy on May 15, 2018. The 35-page document sets forth a plan for managing cybersecurity risks through public and private sector collaboration. By 2023, DHS seeks to have “improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities.” The strategy document is broken into five pillars: risk identification; vulnerability reduction; threat reduction; consequence mitigation; and enable cybersecurity outcomes. DHS assures that it “will maintain a leadership role, collaborating with other federal agencies, the private sector, and other stakeholders, across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed, critical networks are protected, vulnerabilities are mitigated, cyber threats are reduced and countered, incidents are responded to in a timely way, and the cyber ecosystem is more secure and resilient.”
On May 3, 2018, Governor Malloy announced the release of the State of Connecticut’s Cybersecurity Action Plan, which builds on the State’s Cybersecurity Strategy launched in July 2017. Developed by Connecticut’s Chief Cybersecurity Risk Officer Arthur House and Chief Information Officer Mark Raymond, the Action Plan applies the seven principles set forth in the Cybersecurity Strategy – leadership, literacy, preparation, response, recovery, communication, and verification – to individuals, organizations, government agencies, and businesses. Continue Reading Connecticut’s New Cybersecurity Action Plan
On February 21, 2018, the SEC approved new interpretive guidance to assist public companies in preparing their disclosures about cybersecurity risks and incidents. The Release builds upon and expands on the SEC’s 2011 staff guidance on cybersecurity matters. Continue Reading SEC Issues New Cybersecurity Disclosure Guidance for Public Companies
In August, the United States Court of Appeals for the DC Circuit revived a class action lawsuit, holding that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement. Attias v. Carefirst, Inc., 865 F.3d 620 (DC Cir. 2017). The defendant, a group of health care insurers, filed a Petition for Writ of Certiorari to the United States Supreme Court on October 30 of last year. While the Supreme Court is deciding whether to grant the pending Petition, it is worthwhile to briefly review the standing question in the context of protecting your business from liability. Continue Reading Can’t This Just Be Over? Standing In Cybersecurity Claims
Monitor all of your accounts for any suspicious activity on a regular basis. If you see something unfamiliar, it could be a sign that you’ve been compromised. Keeping receipts and tracking your account activity will help you to see a charge that is out of the ordinary, and will help you assist the company in tracking that suspicious activity; plan to partner with that company in the investigation by providing them as much information as possible. Quick reactions can save time, money, and effort for everyone involved.
According to Reuters, late on Friday, the Department of Homeland Security (“DHS”) and the FBI issued a warning in a report, sent to firms at risk of an attack, that critical infrastructure industries may have been targeted in cyber-attacks as far back as May. The identified industries include nuclear, energy, aviation, water, critical manufacturing industries and government entities. The report indicates that hackers successfully compromised data at some of these targets. Further, the government believes that the attacks are ongoing. Continue Reading Feds Warn of Critical Infrastructure Attacks as CT Releases Report on Utility Company Cyber-Readiness
Be sure to back up your data regularly, and make sure your anti-virus software is always up-to-date. Cloud technology has made it very easy to set an automatic backup for your system, so check with your carrier and/or company to make sure that your information is backed up on a regular basis. For those that are not backing up in a cloud, it is recommended to do regular backups onto an external hard drive to save those important documents from being lost forever.
Your anti-virus software should prompt you to install new updates as they come available. The internet moves quickly and is constantly evolving. Good anti-virus software should detect newly developed viruses and provide updates to combat them. Check the settings on your software to ensure that your anti-virus software is providing optimal protection.
Limit use of free public WiFi. Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust, and one that has security features. Avoid logging in on your email and social media on unsecured networks as those passwords can be accessed easily by those hackers looking for that information. If you are using a friend’s phone, a public computer, or free public WiFi, your data could be copied or stolen while transmitting information on an unsecured network.
Take caution when clicking on attachments or links in every email. Phishing scams are a regular occurrence and can be crippling to businesses as well as individuals. If an email is unexpected or suspicious for any reason, do not click the link or open the attachment. Double check the URL of the website link; hackers will often take advantage of misspellings to direct you to a harmful domain. There are indicators to quickly spot these bad emails such as spelling errors, suspicious links, and incorrect email addresses from senders. If you encounter these bad emails, report them immediately according to your company’s security procedures.