M. Scott Koller

Subscribe to all posts by M. Scott Koller

Impact of the Ukraine/Russia Conflict on Cybersecurity in the United States

By M. Scott Koller on March 16, 2022 Posted in Data Security

On Feb. 24, 2022, Russia launched a large-scale military incursion into Ukraine. By all accounts, the Russian offensive attacked on multiple fronts, including against Ukraine’s network computers and communication systems. The cyberattacks began before the first tank crossed the border, with Ukrainian networks subjected to multiple targeted attacks involving hacking, distributed denials of service and … Continue Reading

Deeper Dive: The Scourge of O365 Incidents

By David Kitchen, M. Scott Koller and BakerHostetler on April 11, 2019 Posted in Cybersecurity, Data Security Incident Response

A Growing Menace 2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account. Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, … Continue Reading

Deeper Dive: Minimizing Risk

By M. Scott Koller, Brian P. Bartish and Patrick H. Haggerty on April 3, 2018 Posted in Data Security Incident Response

For organizations of any size, making sense of the constantly evolving cyber risk landscape can seem daunting. With new threats materializing on a constant basis, it can be difficult for organizations to efficiently allocate resources and respond to security incidents. In BakerHostetler’s newly-released 2018 Data Security Incident Response Report, we use our experience from more … Continue Reading

Deeper Dive: Incorporating Incident Response Into Disaster Recovery Plans

By M. Scott Koller on May 8, 2017 Posted in Cybersecurity, Ransomware

Incident response and disaster recovery are both essential components of a comprehensive written information security program. However, too often these plans are implemented in a vacuum, without considering the potential synergies and improvements that can be gained when such plans are developed, deployed and tested together. Incident response and disaster recovery tend to have the … Continue Reading

Virginia, Tennessee and New Mexico Are the Latest States to Amend Breach Notification Laws

By M. Scott Koller on April 10, 2017 Posted in Data Breach Notification Laws

Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception. Virginia The state of Virginia recently expanded its breach notification statute to include income tax information among the types … Continue Reading

Data Breach Trends — 2016: the Year of Ransomware

By M. Scott Koller on January 3, 2017 Posted in Ransomware

Over the past year, the BakerHostetler Incident Response team has closely monitored data breach trends, and we are confident in concluding that 2016 was the year of ransomware. Nothing has had a greater impact or has been as widespread in 2016 than ransomware. From a hospital in California to a police department in Massachusetts, ransomware … Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

By M. Scott Koller on November 9, 2016 Posted in Cloud Computing, HIPAA/HITECH

The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health … Continue Reading

Tales from the Trenches: Lessons Learned from the Ashley Madison Data Breach

By M. Scott Koller on September 20, 2016 Posted in Data Breaches

In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The … Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

By M. Scott Koller on August 22, 2016 Posted in HIPAA/HITECH, Medical Privacy

In the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware. Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files … Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

By M. Scott Koller on August 19, 2016 Posted in HIPAA/HITECH, Medical Privacy

The Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care … Continue Reading

Deeper Dive: When it Comes to Data Breaches, Size Matters

By M. Scott Koller on June 21, 2016 Posted in Data Breaches, Online Privacy

As part of our ongoing series analyzing the 2016 BakerHostetler Data Security Incident Response Report, this article takes a closer look at the factors that play a role in whether an entity will face a regulatory investigation or litigation as a result of a data breach. As the title suggests, the size of breach is … Continue Reading

TeslaCrypt Ransomware Developers Retire, Release Master Decryption Key

By M. Scott Koller on May 20, 2016 Posted in Cybersecurity

Ransomware is a particularly nefarious type of malware that hijacks computers and forces victims to pay a ransom in order to access their files. One of the reasons it is so successful is because ransomware developers use strong encryption that is virtually unbreakable without a decryption key. As a result, individuals and businesses without a … Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

By M. Scott Koller on December 30, 2015 Posted in Cybersecurity, Incident Response

The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your … Continue Reading

California Amends Its Breach Notification Statute

By M. Scott Koller on October 12, 2015 Posted in Data Breach Notification Laws

For the third time in as many years, California has once again amended its breach notification statute. This time it expanded the definition of “personal information,” clarified the term “encryption,” and mandated additional formatting and content requirements for individual notification letters. These amendments impact both companies and agencies and will go into effect on January … Continue Reading

State Law Roundup: Legislatures Across the U.S. Revamp Data Breach Notification Laws

By M. Scott Koller, Melinda L. McLellan and Jenna N. Felz on July 27, 2015 Posted in Breach Notification, Data Breach Notification Laws, State Legislation

As the number of highly publicized data breaches continues to skyrocket and proposals for a federal data breach notification law stagnate, state legislatures around the country have been busy amending their own breach notification statutes. So far, 2015 has been a banner year for state breach law makers, with nine states formalizing amendments to their … Continue Reading

New Hampshire Enacts Breach Notification Requirement for the Department of Education

By M. Scott Koller on July 7, 2015 Posted in Data Breach Notification Laws

The state of New Hampshire recently enacted House Bill 322 (“HB 322”), which requires the Department of Education (“DOE”) to implement additional procedures to protect student and teacher data from security breaches. Those procedures now include a breach notification requirement. Effective August 11, 2015, the DOE must develop a detailed security plan that requires notification … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

By Lynn Sessions and M. Scott Koller on November 11, 2014 Posted in Cybersecurity, HIPAA/HITECH, Medical Privacy

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act … Continue Reading

California’s Latest Amendments to Its Data Security Breach Notification Law – Much Ado about Nothing?

By Tanya Forsheit and M. Scott Koller on October 2, 2014 Posted in Data Breaches

Editor’s Note: The authors would like to thank Jaysen Borja for his contributions to this post. On September 30, 2014, California Governor, Jerry Brown, signed Assembly Bill 1710 into law, amending California’s existing personal information privacy laws. A.B. 1710 makes several changes to existing laws including: (1) the requirement that businesses that “maintain” personal information … Continue Reading