Tag Archives: data security

BakerHostetler Data Security Incident Response Report Reveals Being “Compromise Ready” Better Positions Companies to Respond to Incidents

On March 30, 2016, we released our second annual Data Security Incident Response Report. Key findings show that phishing/hacking/malware was the cause of 31% of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause. The report also continues the inaugural-year theme that no industry is immune to … Continue Reading

LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach

By Alan L. Friel and Gerald J. Ferguson on January 5, 2016 Posted in Children’s Privacy, HIPAA/HITECH, Online Privacy

Both the administrative law judge’s decision in LabMD and the Third Circuit’s recent decision in Wyndham, which we previously blogged about, put the FTC on notice that it cannot assume that in the wake of a security breach, allegedly inadequate data security will necessarily constitute an unfair practice under Section 5 of the FTC Act. Further, … Continue Reading

Incident Response Tip: Five Ways to Improve Information Security and Reduce the Impact of a Data Breach

By M. Scott Koller on December 30, 2015 Posted in Cybersecurity, Incident Response

The new year will arrive in a few short days and when the bell tolls, it will mark the end of another extremely active year of data breaches. High-profile breaches such as Anthem, Ashley Madison, and the Office of Personnel Management serve as a reminder that it is a matter of when, not if, your … Continue Reading

FCC’s Growing Privacy and Data Security Enforcement

By Patrick H. Haggerty and F. Paul Pittman on December 8, 2015 Posted in Data Breaches, Enforcement

The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading

A Deeper Dive: Data Security Incident? Don’t Panic

By Gerald J. Ferguson on August 17, 2015 Posted in Cybersecurity, Data Breaches, Incident Response

It’s 6 p.m. on a Friday and you get a call from your IT department. They have detected that an intruder has gained access to your company’s network. At this point, the headlines from the major data breaches of recent years may be flashing before you. You may be assuming the worst: regulatory investigations … … Continue Reading

Does the Government Have Carte Blanche to Retain Seized Data Indefinitely? In Amicus Brief to the Second Circuit, Policy Groups Argue No

By William W. Hellmuth on August 3, 2015 Posted in Information Security

On July 29, 2015, BakerHostetler filed an amicus brief with the Second Circuit on behalf of the Center for Democracy and Technology, joined by five prominent nonprofit public interest groups, for the en banc rehearing of United States v. Ganias, Case No. 12-240. In Ganias, the Court will grapple with arguments centering on whether the … Continue Reading

A Deeper Dive: Regulatory Investigations Following a Reported Breach

By Theodore J. Kobus III on June 2, 2015 Posted in Breach Notification, Incident Response, Information Security

In our inaugural Data Security Incident Response Report (the Report), we found that regulators inquired about a company’s breach 31% of the time and multi-state state Attorneys General investigations were launched less than 5% of the time. A post-breach investigation is not guaranteed. Certainly, in large, highly public incidents, companies can expect at least an … Continue Reading

To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud

By Tanya Forsheit on May 19, 2015 Posted in Data Breaches, Incident Response, Information Security

BakerHostetler’s inaugural Data Security Incident Response Report (the “Report”) concluded that employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that we handled in 2014. Needless to say, this raises some important and concerning questions when it comes to the cloud. We note … Continue Reading

The DOJ Sets Out to Establish Standard for Data Security Incident Response and Preparation

By F. Paul Pittman on May 14, 2015 Posted in Data Breaches, Incident Response

Editor’s Note: The author is the most recent attorney to join our Privacy and Data Security Team. Paul represents clients in responding to potential data security incidents, counsels on incident response preparedness, and works with clients to develop appropriate policies to ensure compliance with applicable law, industry standards, or self-regulatory guidelines. He also counsels clients … Continue Reading

BakerHostetler’s First Data Security Incident Response Report Shows Human Error is Most Often to Blame

By Theodore J. Kobus III, Gerald J. Ferguson and Craig A. Hoffman on May 7, 2015 Posted in Incident Response

We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and … Continue Reading

Secret Service Raises Warning About Backoff POS Malware

By Craig A. Hoffman on August 25, 2014 Posted in Information Security, Online Privacy, Retail Industry

The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems. The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., … Continue Reading

Something Wicked This Way Comes – Dark and Dusty Data and the Risk Your Organization Already Owns

By BakerHostetler on December 16, 2013 Posted in Data Breaches

This blog post is a joint submission with BakerHostetler’s Discovery Advocate blog. Authored by: James Sherer During the final panel of Thomson Reuters’ 17th Annual eDiscovery & Information Governance in Practice Forum, Thomas Barnett, Ignatius Grande, and Sandra Rampersaud led a lively discussion on Managing Big Data, Dark Data, and Risk. And while the exchange … Continue Reading

Court Denies Motion for Class Certification in Hannaford

By Erica Gann Kitaev on April 4, 2013 Posted in Data Breaches

Editor’s note: This is a cross-blog post with BakerHostetler’s Class Action Lawsuit Defense blog. For the latest class action defense updates, visit www.ClassActionLawsuitDefense.com. In an order surely to reverberate with both the plaintiffs’ and defense bar, on March 20, 2013, Judge D. Brock Hornby of the United States District Court for the District of Maine … Continue Reading

Be Prepared: Redline Version of the HIPAA/HITECH Final Rule

By Theodore J. Kobus III on January 22, 2013 Posted in HIPAA/HITECH, Medical Privacy

The final rule is significant for any organization that is considered to be a HIPAA covered entity (“CE”) (health systems, health care providers, health plans, etc.) or the more broadly defined business associate (“BA”). During our initial analysis of the final rule, we note significant changes to the way a breach is defined and we … Continue Reading

The Cybersecurity Act of 2012–What Does It Mean?

By Theodore J. Kobus III on February 15, 2012 Posted in Federal Legislation

Yesterday, Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (ID-Conn.), Ranking Member Susan Collins (R-Maine), Commerce Committee Chairman Jay Rockefeller (D-W.Va.), and Select Intelligence Committee Chairman Dianne Feinstein, D-Ca. introduced The Cybersecurity Act of 2012. The press release can be found here. We are seeing an increasing number of attacks targeting government secrets, trade … Continue Reading

Sony & Epsilon Support National Data Breach Notice Law in Testimony Before House Subcommittee

By Craig A. Hoffman on June 8, 2011 Posted in Breach Notification, Data Breach Notification Laws, Federal Legislation

On June 2, 2011, representatives from Sony Network Entertainment International and Epsilon Data Management, LLC appeared before a House panel to answer questions regarding their responses to recent security breaches. The hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade was called by Subcommittee Chairwoman Mary Bono Mack (R-Calif.) as part … Continue Reading