Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved … Continue Reading
Kentucky became the latest state to adopt the NAIC insurance data security model law with Governor Andy Beshear’s signing of House Bill 474. The new law goes into effect Jan. 1, 2023, and gives covered licensees one or two years for implementation, depending on the specific provision. Like many other states, Kentucky enacted the law … Continue Reading
PART 1 PART 2 PART 3 In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated. Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired. In this installment, we address the laws that could be implicated … Continue Reading
Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like … Continue Reading
2021 did not turn out the way many of us had hoped. Best-laid plans to “return to normal” were postponed numerous times due to multiple waves of COVID-19 outbreaks and new variants. The steady frequency of ransomware attacks in 2020 continued into 2021, highlighting the serious ongoing threat cyberattacks pose. The most frequent client requests … Continue Reading
In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) … Continue Reading
PART 2 The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected. In this posting, we … Continue Reading
Justin T. Yedor and Jeewon Serrato On October 5, 2021, Jennifer Urban, who serves as Chair of the Board the California Privacy Protection Agency (the CPPA) spoke with members of the California Lawyer’s Association about the Board’s work to get the new Agency off the ground, the challenges it faces in doing so and the … Continue Reading
By Justin Yedor, Stanton Burke, and Jeewon K. Serrato For businesses awaiting guidance on how to comply with the California Privacy Rights Act (the “CPRA”), the new California Privacy Protection Agency (“CPPA”) began the rulemaking process on September 22, 2021 with an Invitation for Preliminary Comments on Proposed Rulemaking (the “Invitation for Comment”). In the … Continue Reading
On June 10, 2021, the National People’s Congress of the People’s Republic of China (PRC) approved the passage of the Data Security Law (DSL), which will take effect on Sept. 1, 2021. Overview Unlike the PRC’s Cybersecurity Law of 2016 (CSL) and the Personal Information Protection Law – undergoing public comment for its second draft, … Continue Reading
Summary Advising our clients on compliance with laws and regulations is, hands down, the most important aspect of our role as attorneys. In addition to seeking counsel on their obligations under laws and regulations, however – motivated by industry trends, utilization of and dependence on third-party services and platforms, and, this year, the COVID-19 pandemic … Continue Reading
This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading
On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most … Continue Reading
One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and … Continue Reading
Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter … Continue Reading
Ransomware was involved in 10 percent of the 450 breaches handled by our Privacy and Data Protection team in 2016. This week’s news about a global ransomware attack is another example that this trend is on the rise. Companies, governments and organizations around the world are grappling with what steps they should take to minimize … Continue Reading
In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading
What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or … Continue Reading
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading
On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal … Continue Reading
On March 30, 2016, we released our second annual Data Security Incident Response Report. Key findings show that phishing/hacking/malware was the cause of 31% of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause. The report also continues the inaugural-year theme that no industry is immune to … Continue Reading
Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, … Continue Reading
The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your … Continue Reading
The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading