Tag Archives: data security

Welcome to our 9th annual Data Security Incident Response Report!

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in Data Security
We are now three years post pandemic, and while a lot has changed, some things remain the same. Last year, I talked about resilience—the uncertainties of the pandemic were still present, the war in Ukraine had just begun, and businesses were addressing new issues caused by technology evolution and work-pattern changes. Resilience in 2022 meant … Continue Reading

Modeling the Privacy Catwalk: Practical Steps Forward

Photo of Carolina AlonsoPhoto of Nikki EdmundsBy Carolina Alonso and Nikki Edmunds on Posted in Data Privacy
What’s Trending? (Privacy a la Mode) Notable fashion brands have been engaging in a “trial period” of new technologies as privacy laws and privacy enforcement are trending – for example, exploring integrating branding into digital assets in video games, virtual reality (VR) and augmented reality (AR) technology, metaverses, and non-fungible tokens (NFTs). Fashion naturally pushes … Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

Photo of Elise ElamPhoto of David PotterPhoto of Vaughn StupartBy Elise Elam, David Potter and Vaughn Stupart on Posted in Data Protection, Data Security
BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer … Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

Photo of Patrick H. HaggertyPhoto of Elise ElamBy Patrick H. Haggerty and Elise Elam on Posted in Cybersecurity
On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of … Continue Reading

DSIR Deeper Dive: Class Certification Jurisprudence

Photo of Melissa BilanciniBy Melissa Bilancini on Posted in Data Breaches
Over the years, there have been very few class certification rulings in actions arising from data breach incidents. Of those that have been published, most have favored the defense. However, as we discussed in our 2022 Data Security Incident Response Report, the recent ruling in In re Brinker Data Incident Litigation (“Brinker”)granting class certification has … Continue Reading

2022 DSIR Deeper Dive: Vendor Incidents

Photo of Stefanie FerrariBy Stefanie Ferrari on Posted in Data Breaches, Data Security Incident Response
Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved … Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 3

Photo of Benjamin WangerPhoto of Allison ClarkBy Benjamin Wanger and Allison Clark on Posted in Ransomware
PART 1 PART 2 PART 3 In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated.  Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired.  In this installment, we address the laws that could be implicated … Continue Reading

Forensics Deep Dive: The Importance of Proper Configuration and Monitoring

Photo of Joseph L. BruemmerBy Joseph L. Bruemmer on Posted in Data Breaches
Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like … Continue Reading

Welcome to our 8th Annual Data Security Incident Response (DSIR) Report. What a year it has been!

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in Data Security
2021 did not turn out the way many of us had hoped. Best-laid plans to “return to normal” were postponed numerous times due to multiple waves of COVID-19 outbreaks and new variants. The steady frequency of ransomware attacks in 2020 continued into 2021, highlighting the serious ongoing threat cyberattacks pose. The most frequent client requests … Continue Reading

Part 2 of BakerHostetler’s Countdown to CPRA – Top 5 FAQs to Evaluate Compliance Strategy for Employees

Photo of Jennifer MitchellBy Jennifer Mitchell on Posted in CPRA
In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) … Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 2

Photo of Benjamin WangerPhoto of Allison ClarkBy Benjamin Wanger and Allison Clark on Posted in Ransomware
PART 2 The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected.  In this posting, we … Continue Reading

California Privacy Protection Agency Board Chair Discusses CPRA Rulemaking Process and Agency Authority

Photo of Justin T. YedorPhoto of Jeewon SerratoBy Justin T. Yedor and Jeewon Serrato on Posted in CCPA, Consumer Data, CPRA, Data Privacy, Data Protection, Uncategorized
Justin T. Yedor and Jeewon Serrato On October 5, 2021, Jennifer Urban, who serves as Chair of the Board the California Privacy Protection Agency (the CPPA) spoke with members of the California Lawyer’s Association about the Board’s work to get the new Agency off the ground, the challenges it faces in doing so and the … Continue Reading

CPRA Rulemaking Begins with an Invitation by the New California Privacy Protection Agency

Photo of Justin T. YedorPhoto of Stanton BurkePhoto of Jeewon SerratoBy Justin T. Yedor, Stanton Burke and Jeewon Serrato on Posted in CCPA, CPRA, Information Security, Online Privacy, Uncategorized
By Justin Yedor, Stanton Burke, and Jeewon K. Serrato For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”).  In the … Continue Reading

Privacy and Product Counseling: 2020 in Review

Photo of Gerald J. FergusonPhoto of Nichole SterlingBy Kyle R. Fath, Gerald J. Ferguson and Nichole Sterling on Posted in Privacy
Summary Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by industry trends, utilization of and dependence on third-party services and platforms, and, this year, the COVID-19 pandemic … Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

Photo of Carolina AlonsoBy Alan L. Friel, John Busch and Carolina Alonso on Posted in Federal Legislation, GDPR, Online Privacy
This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

Photo of BakerHostetlerBy Aaron Lancaster and BakerHostetler on Posted in Cybersecurity, Medical Privacy
On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading

Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

Photo of Craig A. HoffmanBy Craig A. Hoffman on Posted in Data Security Incident Response
One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and … Continue Reading

Ways to Prevent & Prepare for Ransomware Attacks

Photo of BakerHostetlerBy BakerHostetler on Posted in Ransomware
Ransomware was involved in 10 percent of the 450 breaches handled by our Privacy and Data Protection team in 2016. This week’s news about a global ransomware attack is another example that this trend is on the rise. Companies, governments and organizations around the world are grappling with what steps they should take to minimize … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan and James A. Sherer on Posted in Cybersecurity, Data Breaches, Incident Response, Ransomware
In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Babies and Baby-making, or Not… Privacy and Security Lessons for the Internet of Things

By Alan L. Friel on Posted in Internet of Things
What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

By David M. Brown on Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading
LexBlog