Archives: New + Now

Subscribe to New + Now RSS Feed

Incident Response Plan Saves Money

The Ponemon Institute recently completed research, sponsored by IBM Resilient, entitled “The 2019 Cyber Resilient Organization,” which surveyed more than 3,600 security and IT professionals around the world to determine organizations’ ability to maintain their core purpose and integrity in the face of cyber-attacks. According to IBM, the research found that “a vast majority of … Continue Reading

Think Like a Hacker

I was with a bunch of CFOs this week talking about cybersecurity and I told them how easy it is for hackers these days. They can infiltrate a company’s system by compromising an O365 account that doesn’t have multi-factor authentication, and according to a Ponemon study, are in the company’s system for over 200 days. … Continue Reading

Workplace Privacy

In the Privacy Law class I teach at Roger Williams Law School, we are discussing workplace privacy. Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this … Continue Reading

Password Fatigue

Everyone hates passwords. They are difficult to remember, and human nature is to re-use them across platforms, which is well-known to be a no-no. Managing passwords is time consuming, cumbersome and a pain. Which is why they continue to be a problem for security. A recent research study sponsored by Yubico and conducted by Ponemon … Continue Reading

Preparing for Compliance with the California Consumer Privacy Act

On the heels of working with clients on compliance with the European Union’s General Data Privacy Regulation (GDPR) and the rapidly evolving landscape of data privacy and security laws and regulations, the next hurdle to set compliance sights on for organizations is the California Consumer Privacy Act (CCPA). We have previously outlined the requirements of … Continue Reading

Employees and Partner Organizations Pose Threat to Companies

According to the 2019 Verizon Insider Threat Report, 20 percent of all cybersecurity incidents and 15 percent of data breaches in 2018 were caused by insiders—that is, employees or partner organizations. The reasons for these threats included financial gain (to use or sell company data to make money—47.8 percent), pure fun (23.4 percent) and espionage … Continue Reading

Be Aware of Your Company’s Online Profile

It is amazing how much information about a company and its executives and employees can be gleaned from spending a little time on the web. Marketing teams of companies are focused on capturing the mentions of the company in traditional media outlets in order to promote it through social media. They also are focused on … Continue Reading

HIPAA Data Breach Reports Due to OCR by 2/28/19

The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR). If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the … Continue Reading

Data Privacy & Security Considerations in Mergers & Acquisitions Due Diligence

It has long been standard practice to include data privacy and security due diligence in mergers and acquisitions for technology companies. Over the last several years, there has been an increase in data breaches which are costly and damaging to a company’s brand, and therefore, we have seen an uptick in companies including detailed requests … Continue Reading

Do You Have a WISP?

Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to do so. According to the regulations, any companies or persons who store or use personal information of a Massachusetts resident … Continue Reading

The Tricky World of Cyberliability Insurance

2018 was the year of hearing from clients that they are convinced that they “have cyberliability insurance” to finding out that they really don’t have the coverage that they need for the most common cyber risks. We can’t count the number of times that we have assisted clients in the past year with cyber intrusions, … Continue Reading

Patch, Patch, Patch Those Vulnerabilities

The bane of data security is the patch. The patch is what your IT guys are doing in the background to fix vulnerabilities in software that are known to the manufacturers, and to attempt to fix the vulnerability before hackers can exploit it. Patching is a very important part of a security plan, but the … Continue Reading

Addressing Insider Threats

In data privacy and security jargon, an insider threat usually includes: an employee who creates a security risk due to a lack of awareness or carelessness, but doesn’t mean to do anything wrong (clicks on a phishing email and introduces malware or ransomware into the system) an employee who creates a security risk for his … Continue Reading

Use of Multifactor Authentication

This has been quite the year of O365 intrusions. The story seems to be almost identical in each security incident we investigate this year, and it goes like this: Employee receives a pop-up message from Microsoft advising employee that s/he must change his or her password for security purposes. Employee types his or her user … Continue Reading

Vendor Management

A challenging risk management project that many clients are undertaking is vendor management. Ever since the Target breach, when an HVAC vendor’s employee clicked on a phishing email that allowed an intruder to compromise Target’s system, vendor management has been an issue to be addressed by company data privacy and security teams. Vendor management is … Continue Reading

Record Retention

An ongoing and frequent request is to assist clients with record retention guidelines and migration from storing massive amounts of paper records to an electronic system. How to do this correctly cannot be fully encapsulated in a blog post, but here are a few thoughts to consider when tackling this cumbersome process. There are very … Continue Reading

Test Your Employees with Internal Phishing Campaigns

Phishing campaigns continue to be one of the most successful ways for malicious intruders to access company information, including personal information of employees and customers. Phishing emails continue to get more and more sophisticated and employees continue to fall victim to them, often putting the entire company at risk. Typical successful phishing campaigns end with … Continue Reading

Ransomware and Back-Up Plans

Ransomware continues to be an issue for all industries. The latest statistics are concerning about the increase in variants that are introduced into the web on a daily basis. It is nearly impossible for companies to combat the increase in frequency and sophistication of malware attacking networks and systems. In my experience, companies continue to … Continue Reading

Privacy and Security Employee Education Efforts

As more and more companies become victim to data loss through phishing campaigns and insider threats, and the loss of data becomes riskier, companies are struggling to address the risks through employee education efforts. Note that we call it “education” and not “training.” No one likes training, so be mindful of how you are presenting … Continue Reading
LexBlog