This morning, the European Commission released a Proposal for a Regulation addressing the EU’s cybersecurity industry as part of its next step towards a Digital Single Market, which is the EU’s strategy to ensure fair competition, consumer and data protection, and removal of copyright and geo-blocking issues for individuals participating in online activities and accessing online content.  The Regulation would establish the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres in order to “equip Europe with the right tools to deal with an ever-changing cyber threat.”  See their Fact Sheet here.  The EU has various initiatives in place to address today’s current cyber threats, as well as the deterrence of future attacks.  Specifically, it is working with member states to improve cybersecurity initiatives, EU-level cooperation, and risk prevention, and plans to establish an EU-wide certification framework to ensure products and services are cyber-secure.  Today’s proposal carries these initiatives further by suggesting the creation of a Network of Competence Centres and a European Cybersecurity Industrial, Technology and Research Competence Centre “to develop and roll out the tools and technology needed to keep up with an ever-changing threat.”  See Fact Sheet.  The Commission is hoping that the creation of this Network will allow the many existing cybersecurity competence centres in the EU to pool and share information and expertise, help deploy EU cybersecurity products and solutions, and facilitate cooperation between industries and communities.  The Network will unite existing member state centres and allow them to co-invest to drive research and innovation, and allow for additional investment and funding to improve the EU’s digital economy, and the Centre will aid in facilitating the work of the Network.

Under this framework, each EU member state will be responsible for nominating one national coordination centre which will essentially be that country’s leader and representative to the community; these local centres will carry out actions under the Regulation, as well as determine the distribution of funds on a local level.  The Commission expects that creation of one, centralized framework will allow for increased coordination and exchange of expertise and knowledge, cost savings though co-investment, and opportunity for the EU to become a global leader in cybersecurity.

Seyfarth Shaw Partner Jordan Vick is on the panel for the “Playing by the Rules: Rule Changes Essential to Your Practice” session on Friday, November 16, at Georgetown Law’s 15th annual Advanced eDiscovery Institute in Washington, D.C.

Session topics include:

  • The 2015 Amendments to the FRCP and their actual impacts on practitioners, including unintended consequence
  • How the changes to Federal Rule of Evidence 902 will change how parties and the court can streamline authentication of ESI and potentially eliminate the need to call a witness at trial
  • What other changes the Rules Committee is discussing that may impact eDiscovery professionals
  • Pilot accelerated disclosures and their impacts in Illinois and Arizona, including the Mandatory Initial Discovery Pilot Program (“MIDP”) in the Northern District of Illinois

For more information, to see the full schedule, or to register, click here.

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors.  Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.

The Act provides California residents some rights that also appear familiar.  For example:

  • Consumers can request a copy of all the Personal Information a business has collected;
  • Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
  • Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.

Continue Reading California’s Consumer Privacy Act of 2018 – Get Ready for New GDPR Style Requirements in the US

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link.

Second, whether or not you have a Bring-Your-Own-Device (“BYOD”) program at work chances are you will at some point be using a mobile device to conduct to conduct business.  Don’t feel that your mobile phone is invulnerable to being compromised. (Every networked device — Apple, Microsoft, Android, Linux, etc. — can be compromised)  Mobile hacking is one of the fastest growing areas for exploiting individuals and companies.  This is largely because people do not typically have security programs — such as anti-virus software — on their mobile device.  Additionally, people often connect their mobile devices to public networks, like those available at coffee shops, hotels, etc. — these networks are not secure.  Your best defense against having your mobile device hacked is to install a decent security app and be sure to turn off the Wi-Fi, Bluetooth, and Hotspot settings when they are not in use.   Also, try to only install apps from companies you recognize.  Further, mobile banking and purchasing apps make life easy, but if you don’t have security software — or if you are conducting a larger transaction — you may want to do it on your computer.

Next, If your computer’s security software pops up a security warning, pay attention to it.   Often times we are in a hurry and tend to click through these types of warnings, but that is a mistake.  The warning is there for a purpose whether it is a flag indicating that a website is potentially dangerous or a notice that your computer has detected malware.  When you see a warning it is best to stop what you are doing, close down any open websites, and call your help desk.  You may also want to scan the computer with your security software.  However, be careful of “security warnings” that pop-up from websites.  If the warning does not look like the warnings you are used to, and does not indicate the name of your security software, it may be a malicious attempt to compromise your computer.

Finally, don’t plug USB drives into your computer unless you know where it comes from and where it has been.  Rouge USB drives are a method by which hackers get malicious programs onto your computer.  The drive may contain an enticing file that when clicked, loads a virus onto your computer, or in some cases the drive may load the malware simply by being plugged into your USB port.  So, if you find a USB lying around it is best to turn it into IT, or throw it away. Continue Reading Cyber Security Best Practices

The use of open file sharing platforms in business continues to increase in 2017; Dropbox alone has over 200,000 active business accounts. Unfortunately, the convenience of these platforms and the increase in use by businesses attracts the attention of hackers a well.  File sharing platforms and accounts have a high “hack value” — the overall value of the accounts on the dark web — due to the relative ease with which account can be obtained and the sensitivity of the information stored on these platforms. The risk associated with the use of file share platforms is twofold.  First, company supported file share is attractive to attackers because it is guaranteed to contain sensitive information.  Second, file share platforms available to employees outside of the company — e.g. the employee Google Drive account — may be used to store company information, but likely do not use the same security standards as those enforced by the company. Attacks on file share platforms are also very real.  In August of 2016 Dropbox forced users to reset their passwords based on a breach — 60 million account credentials compromised — that had been discovered but was executed four years earlier in 2012.

Thus, it is important that businesses educate their employees on the risks of sharing information on these platforms and apply strict administrative and technical safeguards mitigate the risk of attack.

Common File Share Attack Approach

The most common approach attackers use to compromise file share platforms is phishing. Phishing is a technique by which the attackers sends out a legitimate looking (albeit fake) email which entices the employee to click on a link and provide information — such as login credentials — which goes directly to the attacker. Alternatively, the phishing attack may convince the employee to download an infected file to the same ends.  Once the attacker has compromised the file share, he or she can either steal information directly, escalate privileges to access more information, obtain additional account credentials, or sell the information on the dark web.  Access to the file share can also be used to perform a Denial of Service (“DoS”) attack by downloading or uploading large volumes of data thus congesting the network and preventing legitimate use.

Despite Google’s perceived safety, two major phishing attacks have been reported on Google accounts in the last two years. In late 2016, over a million google accounts were compromised by a malware attack known as Gooligan, designed to steal credentials allowing access to the victims Google services. Gooligan infected an estimated 13,000 devices per day during its lifecycle.  Again in early 2017, Google accounts were targeted with a message requesting the user to download a file.  When the user selected the link to download the file a face service that looked like a legitimate google service would request access to the users Gmail account.

Mitigating Risk

Businesses can mitigate the risk of file share attacks by implementing strict policies and sanctions regarding their use.  For example, all non-business file share sites can be blocked on the company’s network. Strict policies and monitoring should be in place to gain access to file share sites and employee accounts with such access should be closely monitored. Businesses should also implement test “phishing campaigns” — sending out company controlled phishing emails — to educate employees on what these email look like and how to avoid them.  Phishing tests also help businesses understand their risks by monitoring the number of employees who click on the bogus links. Whereas businesses have less control over employees loading data on to personal file share accounts, strict sanctions should be in place regarding this activity and employees should be aware of these sanctions.

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.  This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in as many as 27 different languages.  The latest version of this ransomware variant, known as WannaCryWCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

Continue Reading WannaCry Ransomware Attack: What Happened and How to Address

shutterstock_196544378China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license. Continue Reading China Finalizes New Cyber Security Law

 

We have all heard this before, but just how bad things really are? According to Verizon’s 2016 Data Breach Investigations Report (“DBIR”), insider and privilege misuse was once again one of the leading causes of incidents and breaches in 2015, accounting for 10,489 total incidents, 172 with confirmed data disclosure. Some of this misuse is perpetrated by malicious actors driven by motivation of financial gain and some of it is due to actions of well-meaning employees who either lacked cybersecurity awareness or simply made a mistake.

While there are no perfect answers for addressing the multitude of possible insider attacks, which can range from privilege abuse, to data mishandling, to the use of unapproved hardware, software, and workarounds, to email misuse, implementing the steps below can go a long way in reducing the risks.

Five Steps to Reduce Insider Misuse

Continue Reading Employers, Your Worst Cybersecurity Threat May Already Be on Your Payroll