Elise Elam

Deeper Dive into the Data

By Elise Elam on May 23, 2023 Posted in Data Security Incident Response

Every year, BakerHostetler collects and analyzes various metrics about the incident response matters we handle. In 2022, we handled over 1,160 incidents. The most striking trends we saw across those incidents were an overall increase in the average ransom demands and payments, as well as an increase in recovery times in certain sectors. We also … Continue Reading

New York Department of Financial Services Publishes Proposed Second Amendment to Its Cybersecurity Regulation

By Patrick H. Haggerty, Vaughn Stupart and Elise Elam on November 17, 2022 Posted in Cybersecurity

On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

By Elise Elam, David Potter and Vaughn Stupart on August 30, 2022 Posted in Data Protection, Data Security

BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

By Patrick H. Haggerty and Elise Elam on August 9, 2022 Posted in Cybersecurity

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of … Continue Reading

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

By Elise Elam and Benjamin Wanger on July 19, 2022 Posted in Cybersecurity, Ransomware

We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the … Continue Reading

DSIR Deeper Dive into the Data: Ransomware Front and Center

By Joseph L. Bruemmer and Elise Elam on June 16, 2022 Posted in Ransomware

There is no question that ransomware is here to stay. Thirty-seven percent of the matters we handled last year involved ransomware, compared to 27 percent of matters in 2020. In 2019, there were approximately 15 active ransomware threat actor groups. In 2021, we handled matters involving more than 80 different ransomware variants. Government entities and … Continue Reading

North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?

By Elise Elam and Benjamin Wanger on May 19, 2022 Posted in Data Counsel

On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat … Continue Reading

Kentucky Joins Nearly 30 States by Enacting an Insurance Data Security Law

By Elise Elam on April 28, 2022 Posted in Data Security

Kentucky became the latest state to adopt the NAIC insurance data security model law with Governor Andy Beshear’s signing of House Bill 474. The new law goes into effect Jan. 1, 2023, and gives covered licensees one or two years for implementation, depending on the specific provision. Like many other states, Kentucky enacted the law … Continue Reading

The Scourge of Ransomware

By Craig A. Hoffman and Elise Elam on May 13, 2021 Posted in Data Security Incident Response

Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas). Most … Continue Reading