Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas). Most … Continue Reading
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading
Organizations are under tremendous pressure to be agile and resilient. A key part of building a mature cybersecurity posture to enable the goals of the organization is conducting ongoing risk assessments and then implementing risk-prioritized measures. Organizations contact us during this process to ask what emerging threats to guard against. Our answer always includes a … Continue Reading
The Digital Assets and Data Management (DADM) Practice Group offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – chaired by Theodore J. Kobus III – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal … Continue Reading
Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading
Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard to execute and absolutely necessary.… Continue Reading
One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and … Continue Reading
On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading
We are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach … Continue Reading
BakerHostetler began publishing its Data Security Incident Response Report in 2015. Although we were the first law firm to do so, inspiration for the report came from similar reports that cybersecurity firms issue. We will be publishing our 2017 Report on April 13, 2017, containing statistics and insights from the 450+ incidents we led clients … Continue Reading
Cue the year-end articles saying that this was the worst year to date for data breaches. Follow that with more dire predictions for 2017. Layer in one-size-fits-all recommendations to mitigate these risks. And finish with technology solutions that you must have. If you read all of this you might come away thinking that if your … Continue Reading
Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of … Continue Reading
Venmo is a peer-to-peer mobile payments service that PayPal acquired in 2013. Users can transfer money to another person using a mobile or web application (e.g., send money to a friend to split the cost of dinner). On May 20, 2016, Texas Attorney General Ken Paxton announced that Texas had entered into an Assurance of … Continue Reading
For merchants, accepting payment cards is not really a choice. Many merchants, however, are unaware of how that “choice” subjects them to significant potential liability in the event payment card data from cards swiped at the point-of-sale is stolen from their payment network. Often casually (but incorrectly) referred to as “PCI fines and penalties,” the … Continue Reading
We provided incident response and incident response preparedness services to hundreds of companies in 2015. The questions we answered were as unique and varied as the incidents companies faced. Some were challenging, and occasionally they were easy to answer (e.g., Can we create a fake employee to sign the notification letter?), but often they were … Continue Reading
A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an … Continue Reading
There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation … Continue Reading
With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not. The costs of implementation are fairly straightforward—buy EMV-enabled terminals and work with the … Continue Reading
The EMV liability shift is coming. Sounds ominous, but what does it really mean? And how can retailers and merchants determine the potential impact of the shift on their business? Like many issues in the payment card industry, there is confusion and misunderstanding. Through an FAQ format, we cover the basics and address some of … Continue Reading
We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one … Continue Reading
We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading
Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never … Continue Reading
The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone. The pendulum has swung in the opposite direction. Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading
One common occurrence after the disclosure by a retailer of a breach affecting card present payment card data used to be the filing of claims by banks that issued payment cards affected by the incident. The banks bringing the claims were usually smaller banks seeking to recover the costs of reissuing new cards and counterfeit … Continue Reading