On August 3, 2018, the Governor in Ohio signed into law the Data Protection Act, which provides businesses with an affirmative defense to data breach claims if the business was in compliance with reasonable security measures at the time of the breach.  Specifically, a business would have to show that it creates, maintains and complies with “a written cybersecurity program . . .  that reasonably conforms to an industry recognized cybersecurity framework.”  Acceptable standards include the NIST framework and compliance with PCI requirements.  For businesses subject to regulatory standards, evidence of compliance with those regulatory standards, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach Bliley (GLBA), will also provide protection.  Many believe that this legislation will encourage businesses in Ohio to allocate more resources for cybersecurity and data protection programs.

Yesterday the United States Court of Appeals for the Seventh Circuit weighed in on the consumer class action standing issue.  The court found that Barnes & Noble customers have standing to pursue a class action concerning the hacking of the retailer’s PIN pads.  In doing so, the Seventh Circuit reversed a district court ruling dismissing the complaint for failure to adequately plead damages.  The Court of Appeals determined that the time value of money which had been removed from plaintiffs’ accounts (even though it was ultimately returned), the costs of credit monitoring, and the time invested to create new accounts all were sufficient to provide standing. Continue Reading The Seventh Circuit Weighs In On Standing

According to Reuters, late on Friday, the Department of Homeland Security (“DHS”) and the FBI issued a warning in a report, sent to firms at risk of an attack, that critical infrastructure industries may have been targeted in cyber-attacks as far back as May. The identified industries include nuclear, energy, aviation, water, critical manufacturing industries and government entities. The report indicates that hackers successfully compromised data at some of these targets. Further, the government believes that the attacks are ongoing. Continue Reading Feds Warn of Critical Infrastructure Attacks as CT Releases Report on Utility Company Cyber-Readiness

It is fitting that on the first day of Cybersecurity Awareness Month, new legislation takes effect regarding one of the most destructive types of malware.  In response to the rapidly increasing rate of computer extortion cases, the Connecticut Legislature has joined several states in creating a statute specifically targeting ransomware. Ransomware is a type of malicious software that prevents access to information in a computer system until a ransom is paid.

“An Act Concerning Computer Extortion by Use of Ransomware” goes into effect on October 1, 2017.  Under the Act, the use of ransomware is a class E felony, which provides for up to three years of imprisonment, a fine of $3,500, or both. Previously, computer extortion was prosecuted under established statutes regarding computer crimes, computer-related offenses, and extortion, as well as the penalties associated with those crimes.

Just last week, a Verizon Communications vendor misconfigured a cloud server that caused the information of 6 million Verizon customers to be exposed on-line. When a cyber incident or data breach occurs on your vendor’s watch, regardless of fault, you own the resulting legal obligations and costs. The best tools for managing the risk of using vendors are due diligence and adequate contract provisions. Continue Reading Protecting Data: Vendors May Be Your Weakest Link