Information Security and Privacy Group News: Cybersecurity Conference Essential Take-Aways Government, Industry and Legal Perspectives

by Murtha Cullina
Contact

Representatives of Connecticut businesses and corporations, educational institutions, and state and local government attended Murtha Cullina’s March 2016 Cybersecurity Conference at the Quinnipiac University School of Law. Featured speakers were Assistant Attorney General Matthew Fitzsimmons, who heads up the Department of Privacy and Data Security for the Office of the Connecticut Attorney General; Rob Howley, Senior Director of Regulatory Affairs for Cox Communications; and David Gardiner, Cyber Intelligence Analyst for the FBI, based in New Haven, Connecticut. In addition, 5 Murtha attorneys provided key tips on privacy and data security risks: Jennifer A. Corvo, on data security in the workplace; Stephanie Sprague Sobkowiak, on healthcare privacy issues; Ryan Suerth, on business insurance coverage issues; Suzanne Brown Walsh, on access to digital accounts and assets after an account-holder’s incapacity or death; and Edward B. Whittemore, on corporate board obligations for data security. Burt Cohen, Chair of Murtha Cullina’s Information Security & Privacy Practice Group, gave introductory remarks and moderated the panel discussions.

Below are essential take-aways from the conference:

The Problem of Cybersecurity

  • 515 data breach notifications affecting 2.5 million Connecticut residents were made to the Connecticut Attorney General’s Office in 2015.
  • Motivations for cyberattacks can be categorized as follows: (1) to obtain personal and financial information; (2) to obtain financial gain; (3) for revenge or to cause disruption to a business; and (4) as part of a nation-state attack.
  • Data breaches can occur from an external threat or an internal source, caused by negligence or thoughtlessness, or through a vendor or contractor.
  • Former employees or a less than honorable employee can also create serious data security issues.
  • An advanced persistent threat (APT) involves a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. Typically, the intention of an APT attack is to steal data rather than to cause damage to the network or organization. However, most every cyber-attack is persistent in that there is advance reconnaissance and planning that goes into the execution of the breach.
  • Business email compromises (BEC) are sophisticated intrusions of legitimate business email accounts that result in simulated, yet bogus, emails that request wire transfers or other sensitive data. During the past year, there was a reported loss of $1 billion dollars due to business email compromise.
  • Utility company scammers obtain information about a business’s account information for electric, water or gas service, and then they proceed to contact by phone or sometimes in person the business usually at a peak operating time and threaten shut-off unless immediate payment is made. Utilities, however, have a clear termination procedure, so any such demand for payment is fraudulent.
  • Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), by masquerading as a trustworthy entity in an email.
  • Ransomware prevents or limits users from accessing their own computer system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.
  • Tech support scams can involve computer pop-ups but more commonly telephone calls that purport to be from a legitimate company, such as Microsoft, seeking access to your computer or network claiming to fix computer problems or to enhance computer performance.
  • It is critical to monitor your own company’s or organization’s network to ensure that it has not been infiltrated; otherwise, your network could be programmed to attack other networks.
  • The U.S. Department of Homeland Security has identified 16 critical infrastructure sectors in the U.S.:
Chemical Industry Emergency Services Info Technology
Commercial Facilities Energy Industry Nuclear Industry
Communications Financial Services Transportation
Critical Manufacuturing Food & Agriculture Water Supply System
Dams Government Facilities  
Denfense Industry Healthcare Industry  

"breach nCybersecurity from a Legal Perspective

  • Although many businesses and industries are subject to specific federal laws regarding the protection of personal and confidential information and records, there is no single federal law that applies across the board to data security and breaches.
  • As of now, 47 states have enacted their own laws for handling data breaches, including CT, MA, RI and NY.
  • An emerging trend is for a state to enforce its own data security and breach of law on out-of-state companies when a data breach occurs involving the disclosure of personal information on that state’s residents.
  • Connecticut law imposes restrictions on the posting, displaying, transmission and use of social security numbers, including prohibiting any person or business from requiring a social security number over an unencrypted web connection or to access a website without also requiring a password. (Conn. Gen. Stat. § 42-470)
  • Connecticut law mandates that any person who collects social security numbers in the course of business must create a privacy policy and publish or publicly display it, such as on that business’s website. The privacy policy must protect the confidentiality of, limit access to and prohibit the unlawful disclosure of any such social security numbers. (Conn. Gen. Stat. § 42-471)
  • Connecticut law requires persons and businesses to safeguard data, computer files and documents containing personal information on another person from misuse by third parties and also requires that any such data, computer files and documents must be destroyed, erased or made unreadable prior to disposal.
    (Conn. Gen. Stat. § 42-471)
  • Connecticut law requires that notification of a breach of personal information must be provided to affected persons and the Office of the Attorney  General within 90 days from discovery, when that personal information has not been secured by encryption or any other technology that renders the information unreadable or unusable. Personal information means the first name or initial and last name in combination with one or more of the following: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with a security code, access or passcode. (Conn. Gen. Stat. § 36a-701b)
  • In addition to enforcing these statutes, the Connecticut Attorney General can also enforce certain privacy-related federal laws, such as HIPAA which protects individually identifiable health information, whether in written or electronic format. The Connecticut Attorney General was the first state AG to sue a breaching party under HIPAA. In the health care industry, HIPAA is arguably broader than the Connecticut law, although a breach under HIPAA is often a data breach under Connecticut law, as well.
  • A business that makes untrue representations about its privacy and data security may be subject to a lawsuit under the Connecticut Unfair Trade Practices Act or an enforcement action by the Federal Trade Commission.
  • Corporate boards have a legal duty of oversight for cybersecurity and, as part of that duty of oversight, should regularly consider and oversee management’s efforts to address data and information security issues as a material business risk.

Best Practices to Address Cyber Risks

  • It is essential to have a written information security program (WISP) that not only provides a working guide on how to react in the event of a data breach or a cyber-attack, but also involves an internal self-examination of your practices to protect and secure confidential information on your employees, customers, clients and patients.
  • Each company and organization should also focus on the human element through Cybersecurity training and periodic testing of personnel to ensure that proper safeguards and established computer protocols are being followed.
  • Cyber liability/crime insurance is now offered to cover a variety of both liability and property losses from conducting business on the Internet or collecting data within its internal electronic network. These policies cover a busines’s liability for a data breach in which customers’ personal information is exposed or stolen by a hacker or other criminal who has gained access to the firm’s computer network. The policies typically cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. They may also cover Ransomware situations. Before purchasing any such insurance, consider having the policy reviewed by an insurance attorney or professional.
  • Corporate boards should ask questions of management concerning data security and breaches. It may make sense to appoint a board member who is conversant in data security issues or hire outside security experts to review corporate preparedness for cybersecurity threats.
  • Utilize encryption both in the storage of electronic data but also in any transmission or distribution of electronic data, particularly when it involves personal and confidential information.

And now for something completely different . . .

  • Modern estate plans must address access to digital accounts and assets after an account holder’s incapacity or death. Otherwise, in many cases, federal privacy laws will prohibit fiduciary access altogether, regardless of the asset’s values.
  • Digital or electronic currency will undoubtedly become more common over time. The goal is to establish uniform laws and standards that minimize the opportunity to utilize these currencies for illegal money laundering. Murtha attorney Suzanne Walsh serves on the Uniform Law Commission’s Drafting Committee on the Regulation of Virtual Currency Businesses which is drafting model regulations for this nascent industry.
  • Counterintuitively, bitcoins, the most recognizable digital currency, cannot be easily used for money laundering, according to the FBI, as the transactions are publicly traceable.

According to the Identity Theft Resource Center there were a total of 110 data breaches and almost 1.8 million records exposed during just the first two months of 2016. Moving forward we can expect the volume of data breaches to continue to increase. This means that the challenges of protecting individuals, businesses and organizations from new threats, as well as staying compliant with new laws and regulations, will become much more complex.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina
Contact
more
less

Murtha Cullina on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.