More than three years ago, Anthem, Inc. reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that it suffered a cyber attack compromising the protected health information of nearly 79 million individuals. This breach continues to be the largest breach of protected health information to date.  Yesterday, OCR announced its record-breaking $16 million settlement with Anthem related to the massive breach.  Continue Reading Anthem Agrees to Pay Largest HIPAA Settlement at $16M for Massive Breach

In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy.  Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law.  An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it.  An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. Continue Reading The Importance of Information Security Plans

In recognition of National Cybersecurity Awareness Month, each Friday this October, we will highlight a different step that organizations can take to increase awareness of potential cyber threats, reduce the risk of a cyber attack or minimize damage from an attack.  All four steps are solutions that all organizations, regardless of size or budget, can implement. Specifically, over the course of the month we will examine information security plans, training, vendor due diligence and data retention and destruction, as tools organizations can use to arm themselves to both prevent and in the event of a cyber attack.  Continue Reading October is National Cybersecurity Awareness Month!

On September 18, 2018, Connecticut’s governor released an annual report on the cybersecurity sophistication and readiness of the state’s electric, natural gas and major water companies.  The four participating utility companies were Aquarion, Avangrid, Connecticut Water and Eversource. Continue Reading Report on Cyber Readiness of Connecticut Utility Companies

After a data breach at VTech revealed practices that allegedly violated the FTC Act and the Children’s Online Privacy Protection Act (COPPA), VTech settled for $650,000 and agreed to implement a comprehensive data security program subject to audit for the next 20 years.  VTech makes children’s electronic learning products.  The FTC complaint alleged that VTech’s privacy policy promised that it would encrypt most transmitted information but it did not.  Further, the FTC claimed that VTech failed to comply with COPPA rules regarding the protection of information of children under 13.  This settlement illustrates that the FTC is not letting businesses off the hook for lax information security programs and highlights the importance of accurate privacy policies.  Know what rules apply to your business and be sure that the promises you make to your customers with respect to privacy are accurate.  More information on the FTC settlement can be found here.

W-2 phishing season is just a few weeks away.  For the past several tax seasons, cyber criminals have duped hundreds of payroll departments into providing W-2 information on their employees, which results in the filing of fraudulent tax returns and other identity theft issues.  These attacks are incredibly disruptive to employees, extremely expensive for employers and are completely avoidable with some training.  Continue Reading ‘Tis the Season: W-2 Phishing Scams Likely to Resurface After the New Year

On Friday, May 12, 2017, a damaging ransomware attack swept across more than one hundred countries and infected tens of thousands of computers. As is becoming all too common, the hackers transmitted the ransomware via a phishing e-mail, and then, once the user clicked the bait, the hackers used a method thought to have been developed by the National Security Agency, and locked businesses out of their systems. The ransomware impacted businesses both large and small, notably including sixteen of Great Britain’s hospitals forcing them to turn patients away, FedEx, the Russian Interior Ministry and a large Spanish telecommunications company. While in the wake of the attack, affected businesses must focus on damage control and clean-up, unaffected businesses should react and take steps to protect themselves ahead of being on the receiving end of the next cyber incident. Accordingly, here are five things that all businesses can do. Continue Reading Five Things You Can Do to Protect Your Business From a Cyber Attack