Craig A. Hoffman

Subscribe to all posts by Craig A. Hoffman

The Scourge of Ransomware

By Craig A. Hoffman and Elise Elam on May 13, 2021 Posted in Data Security Incident Response

Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas). Most … Continue Reading

The Destruction of Privilege and Work Product Protection for Data Breach Investigations?

By Craig A. Hoffman, Theodore J. Kobus III, Lynn Sessions, Casie Collignon, David Carney, Joseph L. Bruemmer, Thomas Hogan and Aleksandra Vold on June 17, 2020 Posted in Data Breaches

Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships, and prevents or mitigates financial consequences. Unfortunately, some have sold the value of involving an attorney in the incident response process … Continue Reading

DSIR Deeper Dive: Using Compromise Threat Intelligence

By Craig A. Hoffman on May 7, 2020 Posted in Data Security Incident Response

Organizations are under tremendous pressure to be agile and resilient. A key part of building a mature cybersecurity posture to enable the goals of the organization is conducting ongoing risk assessments and then implementing risk-prioritized measures. Organizations contact us during this process to ask what emerging threats to guard against. Our answer always includes a … Continue Reading

Standing Guard – Digital Risk Advisory and Cybersecurity Team

By Craig A. Hoffman and Andreas Kaltsounis on January 27, 2020 Posted in Cybersecurity

The Digital Assets and Data Management (DADM) Practice Group offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – chaired by Theodore J. Kobus III – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal … Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

By Brian P. Bartish and Craig A. Hoffman on August 13, 2018 Posted in Data Breaches, State Legislation

Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this … Continue Reading

Do You Need a Chief Digital Risk Officer (or Digital Risk Working Group)?

By Craig A. Hoffman on August 6, 2018 Posted in Data Security Incident Response

Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard to execute and absolutely necessary.… Continue Reading

Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

By Craig A. Hoffman on May 1, 2018 Posted in Data Security Incident Response

One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

By Craig A. Hoffman, Jonathan A. Forman and John Busch on February 28, 2018 Posted in Cybersecurity, Data Breach Notification Laws

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading

Be Compromise Ready: Go Back to the Basics

By Theodore J. Kobus III and Craig A. Hoffman on April 13, 2017 Posted in Cybersecurity, Mobile Privacy, Online Privacy, Ransomware

We are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach … Continue Reading

Crowdsourcing Cybersecurity in 2017

By Craig A. Hoffman and Erich Falke on April 11, 2017 Posted in Cybersecurity, Ransomware

BakerHostetler began publishing its Data Security Incident Response Report in 2015. Although we were the first law firm to do so, inspiration for the report came from similar reports that cybersecurity firms issue. We will be publishing our 2017 Report on April 13, 2017, containing statistics and insights from the 450+ incidents we led clients … Continue Reading

What Can Be Learned From 2016 Security Incidents?

By Craig A. Hoffman on December 22, 2016 Posted in Cybersecurity

Cue the year-end articles saying that this was the worst year to date for data breaches. Follow that with more dire predictions for 2017. Layer in one-size-fits-all recommendations to mitigate these risks. And finish with technology solutions that you must have. If you read all of this you might come away thinking that if your … Continue Reading

Home Depot Evades Shareholder’s Derivative Suit for 2014 Data Breach

By Craig A. Hoffman and Stephanie Lucas on December 20, 2016 Posted in Data Breaches

Public companies that are proactively working to mitigate “cyber” risks and prepare to respond to potential incidents frequently ask whether a “breach” will lead to litigation, loss of customers, stock price decline, and shareholder actions. There are a lot of factors that influence what adverse consequences follow disclosure of a breach. Of the hundreds of … Continue Reading

PayPal Reaches Settlement With Texas Over Venmo Privacy and Security Disclosures

By Craig A. Hoffman and Douglas A. Vonderhaar on May 25, 2016 Posted in Financial Privacy

Venmo is a peer-to-peer mobile payments service that PayPal acquired in 2013. Users can transfer money to another person using a mobile or web application (e.g., send money to a friend to split the cost of dinner). On May 20, 2016, Texas Attorney General Ken Paxton announced that Texas had entered into an Assurance of … Continue Reading

Deeper Dive: Merchant Liability Arising from Stolen Payment Cards

By Craig A. Hoffman on May 9, 2016 Posted in Incident Response, Payment Card Industry

For merchants, accepting payment cards is not really a choice. Many merchants, however, are unaware of how that “choice” subjects them to significant potential liability in the event payment card data from cards swiped at the point-of-sale is stolen from their payment network. Often casually (but incorrectly) referred to as “PCI fines and penalties,” the … Continue Reading

Five Questions Clients Asked Most Often in 2015 About Incident Response

By Craig A. Hoffman on January 20, 2016 Posted in Incident Response

We provided incident response and incident response preparedness services to hundreds of companies in 2015. The questions we answered were as unique and varied as the incidents companies faced. Some were challenging, and occasionally they were easy to answer (e.g., Can we create a fake employee to sign the notification letter?), but often they were … Continue Reading

How and Why to Pick a Forensic Firm Before the Inevitable Occurs

By Craig A. Hoffman on November 16, 2015 Posted in Cybersecurity, Incident Response

A forensic investigation by a security firm often does (and should) drive decision-making in response to an incident. Because the work of a security firm usually drives the critical path of a response, companies can become better prepared to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an … Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

By Craig A. Hoffman on August 27, 2015 Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry

There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation … Continue Reading

EMV Liability Shift Update – What Liability Actually Shifts?

By Craig A. Hoffman on August 20, 2015 Posted in Retail Industry

With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not. The costs of implementation are fairly straightforward—buy EMV-enabled terminals and work with the … Continue Reading

Explaining the Implications for Merchants of EMV and the Liability Shift

By Craig A. Hoffman on May 18, 2015 Posted in Data Breaches

The EMV liability shift is coming. Sounds ominous, but what does it really mean? And how can retailers and merchants determine the potential impact of the shift on their business? Like many issues in the payment card industry, there is confusion and misunderstanding. Through an FAQ format, we cover the basics and address some of … Continue Reading

2015 BakerHostetler Incident Response Report Deeper Dive—Retailer Liability Arising from Stolen Payment Cards

By Craig A. Hoffman on May 12, 2015 Posted in Data Breaches, Incident Response, Retail Industry

We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one … Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

By Theodore J. Kobus III, Gerald J. Ferguson and Craig A. Hoffman on May 7, 2015 Posted in Incident Response

We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading

Cybersecurity is a Real Risk, So Become “Compromise Ready”

By Craig A. Hoffman on April 29, 2015 Posted in Cybersecurity

Many have heard that “it is not a matter of if a company will be attacked, but when.” Statements like this used to be met with skepticism – companies would say we do not have information hackers want, we outsource our security so we have no risk, or the IT department said it will never … Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

By Craig A. Hoffman on January 20, 2015 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone. The pendulum has swung in the opposite direction. Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as … Continue Reading

Ruling Gives New Life to Bank Claims Against Breached Retailers in Target Case

By Craig A. Hoffman on December 3, 2014 Posted in Retail Industry

One common occurrence after the disclosure by a retailer of a breach affecting card present payment card data used to be the filing of claims by banks that issued payment cards affected by the incident. The banks bringing the claims were usually smaller banks seeking to recover the costs of reissuing new cards and counterfeit … Continue Reading