Archives: Cybersecurity

New York Brings Long-Awaited Cybersecurity Message Case

By Jonathan A. Forman and Eulonda Skyles on July 30, 2020 Posted in Cybersecurity

Ever since the New York State Department of Financial Services (DFS) instituted its first-in-the-nation Cybersecurity Regulation[1] in 2017 (covered in our post here), banks, insurance companies, and others in the financial services industry wondered what would trigger an enforcement action under its broad purview. At long last, the industry now knows. On July 22, 2020, … Continue Reading

Joint Agencies Issue Guidance on Prevalence of Cyberattacks Exploiting COVID-19 and Teleworking

By Kathryn Carey on April 23, 2020 Posted in Cybersecurity

On Friday, April 10, 2020, the Department of Homeland Security, the Cybersecurity and Infrastructure Agency and the United Kingdom’s National Cyber Security Centre (NCSC) (jointly, the Agencies) issued a joint statement regarding the growing prevalence of COVID-19-related cyberattacks. The alert focuses on advanced persistent threat (APT) groups and other cybercriminals that are targeting organizations with … Continue Reading

Threat Actors are Finding New Ways to Commoditize Data

By David Potter and Anthony P. Valach on April 21, 2020 Posted in Cybersecurity

While all businesses continue to adjust to the remote work environment, it’s business as usual for cybercriminals. Although there are reports of phishing schemes tied to the COVID-19 pandemic, we are not really seeing different types of incidents or new tactics from the threat actors. Incident volume has increased slightly, but we are not seeing … Continue Reading

COVID-19 Cybersecurity Exposure

By Andreas Kaltsounis on March 18, 2020 Posted in Cybersecurity

Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting to track the coronavirus’s spread across the globe. These opportunistic attacks were an expected variation on well-known themes that use fear to engineer an … Continue Reading

Standing Guard – Digital Risk Advisory and Cybersecurity Team

By Craig A. Hoffman and Andreas Kaltsounis on January 27, 2020 Posted in Cybersecurity

The Digital Assets and Data Management (DADM) Practice Group offers holistic, enterprise-wide risk solutions to clients around “everything data.” The multidisciplinary new addition – chaired by Theodore J. Kobus III – is a strategic outgrowth of the firm’s world-class Privacy and Data Protection and Advertising, Marketing and Digital Media teams, combined with the innovative legal … Continue Reading

Everything Data!

By Theodore J. Kobus III on January 21, 2020 Posted in Advertising, Breach Notification, Consumer Data, Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Governance, Information Security

Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible. In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage … Continue Reading

Cybersecurity Remains a Top SEC Examination Priority in the New Decade

By Jonathan A. Forman on January 10, 2020 Posted in Cybersecurity

It may be a new decade, but the focus of the Securities and Exchange Commission (SEC) on cybersecurity has not shifted. In particular, the SEC noted in its 2020 Examination Priorities that the Office of Compliance Inspections and Examinations (OCIE) “will continue to prioritize cyber and information security risks across the entire examination program.” This … Continue Reading

Cybersecurity Implications in Government Contracting Top 2019 End-of-Year Considerations

By W. Barron A. Avery on January 3, 2020 Posted in Cybersecurity

Barron Avery, leader of BakerHostetler’s national Government Contracts team, was quoted in a Law360 article titled “Top 5 Gov’t Contract Cases of 2019.” Avery’s comments come as a sure reminder for contractors that failing to adhere to cybersecurity requirements can have serious and dire consequences to contractors themselves. In May 2019, the U.S. District Court … Continue Reading

Congress: Public Companies Need to Get Serious About Cybersecurity

By Chris Jones on December 23, 2019 Posted in Cybersecurity

As businesses of all sizes increase spending on cybersecurity – projected to top $124 billion this year – a bipartisan group of lawmakers in Congress wants public companies to go one step further: Install a cyber expert on their boards of directors. The Cybersecurity Disclosure Act has been introduced several times in recent years, but … Continue Reading

SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms

By Jonathan A. Forman and Matt Friedman on April 22, 2019 Posted in Cybersecurity, Enforcement, Financial Privacy

On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P – Privacy Notices and Safeguard Policies,” highlighting its data privacy and cybersecurity observations from recent examinations of registered firms. Regulation S-P By … Continue Reading

Deeper Dive: The Scourge of O365 Incidents

By David Kitchen, M. Scott Koller and Kathryn Carey on April 11, 2019 Posted in Cybersecurity, Data Security Incident Response

A Growing Menace 2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account. Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, … Continue Reading

Cybersecurity Firms Issue Annual Threat Reports

By Joseph L. Bruemmer on March 12, 2019 Posted in Cybersecurity

CrowdStrike, FireEye and IBM Security recently released their annual threat reports. These reports contain a wealth of information on recent trends in cybersecurity attacks and recommendations on the preventive measures companies can take to protect themselves. As attackers’ tactics, techniques and procedures continue to evolve, and as the attack surface of organizations continues to grow, … Continue Reading

Beware the Ides of March – Is Your NYDFS Cybersecurity Compliance in Order?

By Eulonda Skyles and Jonathan A. Forman on March 6, 2019 Posted in Cybersecurity, Enforcement

March is now here and with it the Cybersecurity Regulation of the New York Department of Financial Services (NYDFS) is now in full force and effect, including requirements relating to Third Party Service Providers[1] (e.g., vendors, suppliers, agents). To comply with the regulation, banks, insurance companies, and other financial institutions and individuals who are, or … Continue Reading

Trojan Malware Reclaims the Top Spot as the Greatest Cyber Threat to the Healthcare Sector

By Alexandra Royal on March 5, 2019 Posted in Cybersecurity, HIPAA/HITECH

Cybersecurity threats continued to plague the healthcare sector in 2018. Healthcare organizations notified twice as many individuals under HIPAA and other notification statutes in 2018 as compared with 2017. According to a new report from Malwarebytes Labs, 2019 State of Malware Report, trojan malware was the greatest threat to the healthcare sector in 2018.[1] Specifically, … Continue Reading

Insurance Data Security Model Law Picks Up Steam

By Andreas Kaltsounis and Shea M. Leitch on February 6, 2019 Posted in Cybersecurity, State Legislation

Three states recently enacted variations of the National Association of Insurance Commissioner’s (NAIC) Insurance Data Security Model Law (MDL-668), based on the landmark cybersecurity requirements issued by the New York Department of Financial Services (NYDFS) in March 2017. The NYDFS requirements apply to certain banking, insurance and financial service entities licensed in the state of … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Phishing Prevention

By Kathryn Carey and Aleksandra Vold on January 24, 2019 Posted in Cybersecurity, HHS, HIPAA/HITECH

This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats … Continue Reading

NFA’s Amended Cybersecurity Guidance Includes New Incident Reporting Requirement

By Jonathan A. Forman on January 17, 2019 Posted in Cybersecurity, Incident Response

Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members. Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in … Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

By Kathryn Carey and Aleksandra Vold on January 7, 2019 Posted in Cybersecurity, HHS

BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report. Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses … Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

By Lynn Sessions and Alexandra Royal on December 5, 2018 Posted in Cybersecurity, HHS

Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG … Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

By Paulette Thomas on October 18, 2018 Posted in Cybersecurity, Medical Privacy

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including … Continue Reading

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

By Andreas Kaltsounis on October 17, 2018 Posted in Cybersecurity, Data Breaches

The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading

Department of Justice Releases Attorney General’s First Cyber-Digital Task Force Report

By John Busch on August 17, 2018 Posted in Cybersecurity

The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the Attorney General’s Cyber-Digital Task Force by the Department in February 2018. Attorney General Jeff Sessions directed the Task Force to … Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

By Kathryn Carey and Aaron Lancaster on June 8, 2018 Posted in Cybersecurity, Medical Privacy

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

By Craig A. Hoffman, Jonathan A. Forman and John Busch on February 28, 2018 Posted in Cybersecurity, Data Breach Notification Laws

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading