Archives: New + Now

Subscribe to New + Now RSS Feed

Employers and Wellness Plans: Questions about Quest Breach?

Last week, we wrote that Quest Diagnostics reported in a security filing that a collection agency performing collections for the company had suffered an intrusion that exposed almost 12 million individuals’ personal and financial information [view related post]. Another lab company reported days later that it was notified that the information of 8 million of … Continue Reading

CCPA Update

We have been watching all of the activity around the proposed amendments to the California Consumer Privacy Act (CCPA) to see where the law settles to assist with compliance. Not surprisingly, but nonetheless important to know, is the fact that the California Assembly on May 29, 2019, unanimously passed an amendment to CCPA that excludes … Continue Reading

Questions to Consider Asking Your Broker About Cyberliability Coverage

One of the first questions we ask our clients when they call about a security incident is whether they have insurance that may cover the costs associated with investigating the incident, potential forensic analysis, and coverage for a data breach. Sometimes the client will say “Yes, we have cyber coverage.” However, when reviewing the coverage … Continue Reading

Fully Executed Contracts are Preferred

We have been involved in several situations lately with security incidents where we ask our clients for the final executed contract with the vendor that we believe caused the incident, but the contract that we receive has not been fully executed by both parties. Without getting into the legal implications of not having a fully … Continue Reading

Tech Company Execs Sweat Personal Liability for Privacy Violations

In the Privacy Law classes I teach in the Brown University Executive Masters of Cybersecurity and at Roger Williams University School of Law, we discuss the enforcement authority that the Federal Trade Commission (FTC), the Office for Civil Rights (OCR) and other federal and state agencies have over data privacy and security, including how effective … Continue Reading

Limitation of Liability

I continuously confront vendors who say I am “the only” lawyer who objects to limitation of liability provisions that attempt to limit the liability of a security incident to the amount of the contract. That is very hard for me to believe. The value of the contract has no relevance to the actual damages and … Continue Reading

Cybersecurity Reporting to the Board

Robinson+Cole has the distinct pleasure to host the CISO Executive Network in Hartford and Boston. It is an opportunity to hang out with Chief Information Security Officers (CISOs), develop relationships with them, discuss commonality in the issues they experience, and collaborate on different strategies to address their concerns. This week the meetings centered around effective … Continue Reading

Incident Response Plan Saves Money

The Ponemon Institute recently completed research, sponsored by IBM Resilient, entitled “The 2019 Cyber Resilient Organization,” which surveyed more than 3,600 security and IT professionals around the world to determine organizations’ ability to maintain their core purpose and integrity in the face of cyber-attacks. According to IBM, the research found that “a vast majority of … Continue Reading

Think Like a Hacker

I was with a bunch of CFOs this week talking about cybersecurity and I told them how easy it is for hackers these days. They can infiltrate a company’s system by compromising an O365 account that doesn’t have multi-factor authentication, and according to a Ponemon study, are in the company’s system for over 200 days. … Continue Reading

Workplace Privacy

In the Privacy Law class I teach at Roger Williams Law School, we are discussing workplace privacy. Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this … Continue Reading

Password Fatigue

Everyone hates passwords. They are difficult to remember, and human nature is to re-use them across platforms, which is well-known to be a no-no. Managing passwords is time consuming, cumbersome and a pain. Which is why they continue to be a problem for security. A recent research study sponsored by Yubico and conducted by Ponemon … Continue Reading

Preparing for Compliance with the California Consumer Privacy Act

On the heels of working with clients on compliance with the European Union’s General Data Privacy Regulation (GDPR) and the rapidly evolving landscape of data privacy and security laws and regulations, the next hurdle to set compliance sights on for organizations is the California Consumer Privacy Act (CCPA). We have previously outlined the requirements of … Continue Reading

Employees and Partner Organizations Pose Threat to Companies

According to the 2019 Verizon Insider Threat Report, 20 percent of all cybersecurity incidents and 15 percent of data breaches in 2018 were caused by insiders—that is, employees or partner organizations. The reasons for these threats included financial gain (to use or sell company data to make money—47.8 percent), pure fun (23.4 percent) and espionage … Continue Reading

Be Aware of Your Company’s Online Profile

It is amazing how much information about a company and its executives and employees can be gleaned from spending a little time on the web. Marketing teams of companies are focused on capturing the mentions of the company in traditional media outlets in order to promote it through social media. They also are focused on … Continue Reading

HIPAA Data Breach Reports Due to OCR by 2/28/19

The HIPAA (Health Insurance Portability and Accountability Act) breach notification regulations require covered entities to self-report the unauthorized access, use or disclosure of unprotected protected health information (PHI) to the Office for Civil Rights (OCR). If the data breach involves more than 500 individuals, the notification must be made to the OCR immediately. If the … Continue Reading

Data Privacy & Security Considerations in Mergers & Acquisitions Due Diligence

It has long been standard practice to include data privacy and security due diligence in mergers and acquisitions for technology companies. Over the last several years, there has been an increase in data breaches which are costly and damaging to a company’s brand, and therefore, we have seen an uptick in companies including detailed requests … Continue Reading

Do You Have a WISP?

Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to do so. According to the regulations, any companies or persons who store or use personal information of a Massachusetts resident … Continue Reading

The Tricky World of Cyberliability Insurance

2018 was the year of hearing from clients that they are convinced that they “have cyberliability insurance” to finding out that they really don’t have the coverage that they need for the most common cyber risks. We can’t count the number of times that we have assisted clients in the past year with cyber intrusions, … Continue Reading

Patch, Patch, Patch Those Vulnerabilities

The bane of data security is the patch. The patch is what your IT guys are doing in the background to fix vulnerabilities in software that are known to the manufacturers, and to attempt to fix the vulnerability before hackers can exploit it. Patching is a very important part of a security plan, but the … Continue Reading
LexBlog