With all the pressure on companies to build a robust cybersecurity defense within their own four walls, one area of risk might be getting overlooked, writes Shawn Shinneman of the Dallas Business Journal.

He talked to Sara Romine, an attorney at Carrington Coleman in Dallas, to find out how to deal with an attack that comes in through a third-party vendor.

Companies can be at risk and liable when dealing with vendors who have direct access to sort, store or transmit their data, she told the reporter.

“She’s found that companies tend to make some mistakes that grant leverage to the other side during negotiations either to strike a new agreement or renew an existing one. One big one is waiting until the last month or so to start the process,” the article reports.

Read the article.

The Wall Street Journal and Bloomberg Law are reporting that eight large U.S. banks are forming a new group to share information in the fight against cyber attacks.

The new cyber sharing group — which comes after thousands of banks formed a group earlier — will include Goldman Sachs, Morgan Stanley, Bank of America, J.P. Morgan Chase, State Street, Bank of New York Mellon, Wells Fargo and Citigroup.

“The financial-services industry ranked third in number of cyberattacks last year, after health care and manufacturing, according to a U.S. cybersecurity report released by IBM Corp. in May. Two years ago, J.P. Morgan, the largest U.S. bank by assets, was targeted by cybercriminals in a breach that exposed names, addresses and other information of 76 million customer households, although no money was taken,” The Journal reported.

Read the article.

The operator of 12 hospitals and more than 200 other treatment centers in Chicago and central Illinois has agreed to the largest settlement to date with the Office for Civil Rights for multiple potential violations of the Health Insurance Portability and Accountability Act, reports Kelly A. Leahy of Shumaker, Loop & Kendrick.

The agreement will cost Advocate Health Care Network $5.5 million and force Advocate to adopt a multi-year corrective action plan that stemmed from three incidents reported to OCR in 2013.  The breaches involved Advocate’s medical group subsidiary, Advocate Medical Group, which employs more than 1,000 physicians. The incidents that cost Advocate involved data breaches involving unencrypted devices and unauthorized access to a network.

In the article, Leahy offers some suggestions for what covered entities and business associates can do to prevent costly fines and burdensome settlements.

Read the article.

Practical Law will present a complimentary webinar Tuesday, July 26, 1-2:30 p.m. EDT, on evolving cybersecurity issues for banks.

In a release, the company said cybersecurity poses important and time-sensitive challenges to banks and will continue to do so into the foreseeable future. In addition to regulatory and compliance risks, cybersecurity also poses litigation and reputational risks. Bank counsel need to be at the forefront of cybersecurity to ensure that their bank’s directors, management, and employees are aware of the challenges and the measures that need to be taken.

Speakers will be Heath Tarbert and William White of Allen & Overy and Jeremy Estabrooks of Practical Law.

Topics will include:

• What cybersecurity entails and the types of cyber threats facing banks.
• Federal laws and regulations addressing cybersecurity.
• Federal regulatory guidance and resources.
• State laws and regulations addressing cybersecurity.
• What cybersecurity issues bank counsel should currently be thinking about.

A brief Q&A session will follow.

Register for the webinar.

A federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data, reports Reuters.

“The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm,” reports Jonathan Stempel.

The court found that Nosal acted “without authorization” even though the employee, his former secretary, had voluntarily provided her password.

Read the article.

Photo by Marc Nozell

A conservative watchdog group was temporarily blocked on Tuesday from interviewing former State Department officials under oath in what would have been the third lawsuit over Hillary Clinton’s emails to progress to that stage, The Hill is reporting.

The ruling delays Judicial Watch’s effort to interview officials as part of an open records lawsuit related to Clinton’s use of a private server for her personal email account when she was secretary of State. The judge told Judicial Watch to finish interviews in two other ongoing cases first.

“To avoid duplicative discovery and unnecessary expenditure of public funds, the court will stay this case pending the completion of discovery in those other cases,” Walton ordered.

“The ruling gives some relief to the State Department and Clinton, which have both been the subject of intense scrutiny over the bespoke email setup that the former secretary of State used throughout her time in the Obama administration,” wrote Julian Hattem.

Read the article.

The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees, writes Shawn E. Tuma, in Cybersecurity Business Law.

Tuma is a cybersecurity and data protection partner at Scheef & Stone, LLP.

“On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies,” he writes in his article.

Read the article.

Reuters is reporting that Morgan Stanley has agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission civil charges that security lapses at the Wall Street bank enabled a former financial adviser to tap into its computers and take client data home, the regulator said.

“The settlement resolves allegations related to Galen Marsh’s unauthorized transfers from 2011 to 2014 of data from about 730,000 accounts to his home computer in New Jersey, some of which was hacked by third parties and offered for sale online,” reports Jonathan Stempel for Reuters.

“According to the SEC, Morgan Stanley violated a federal regulation known as the Safeguards Rule by failing to properly protect customer data, allowing Marsh to access names, addresses, phone numbers, and account holdings and balances,” the report says.

Read the article.

In their first U.S. court appearances, two Israeli men pleaded not guilty on Thursday to charges that they broke into a dozen companies’ computer networks, including J.P. Morgan Chase & Co., to facilitate a global network of criminal activity, reports The Wall Street Journal and Bloomberg News.

Gery Shalon and Ziv Orenstein have been in custody in Israel since their arrest last summer. They were extradited to the United States to face the charges.

“Federal prosecutors accused the three men and their accomplices of carrying out data breaches at a dozen companies and turning the stolen information, including customers’ email addresses and phone numbers, into hundreds of millions of dollars,” reports Nicole Hong for The Journal. “The hacking allegedly facilitated a host of other crimes, including illegal internet casinos, pump-and-dump schemes, a payment processing service for other criminals and an unlicensed bitcoin exchange.”

Read the article on The Wall Street Journal or Bloomberg News.

Practical Law will present a free 75-minute webinar in which Matthew A. Karlyn, partner with Foley & Lardner LLP and co-author of “A Guide to IT Contracting: Checklists, Tools and Techniques,” to discuss practice tips on data privacy and security provisions of SaaS and other cloud service agreements, including a discussion of recent trends and issues.

The webinar will be Wednesday, June 15, at 1 p.m. EDT.

Data privacy and security are key issues for businesses who seek to upload their information onto the cloud, the company says on its website. Customers need assurance that the software as a service (SaaS) or other cloud service provider will maintain effective policies and practices to safeguard the confidentiality and security of their information.

In seeking this assurance, it is not enough for the customer to conduct due diligence of the provider’s practices because those practices, like the laws and regulations that govern them, can be a fast-moving target. Only by the skillful drafting of the customer’s cloud service agreement can counsel aim to ensure that the customer’s confidential, trade secret, and personal information stay well protected and that both the service provider and customer remain compliant with data privacy and security laws.

A key case is the pending replacement of the EU-US safe harbor framework with stringent requirements of a new, EU-US Privacy Shield for the handling of personal data. It is crucial to businesses that their cloud service agreements include terms broad enough to anticipate such legal developments, technological advances, and changes in standards and practices.

In this program, attendees will:

• Learn how to avoid common errors in data security, privacy, and disaster recovery provisions and provide for proper data protection both during and after the term of the cloud agreement.
• Explore effective remedies for breaches of data privacy and security.
• Consider the requirements of the EU-US Privacy Shield and its anticipated impact on cloud service customers and providers and the terms of their cloud service agreements.

A short Q&A session will follow.

Presenters:

• Matt Karlyn, Co-Chair Technology Industry Team, Foley & Lardner
• Paul Connuck, Senior Legal Editor, Intellectual Property & Technology

CLE credit is available for: Arizona, California, Colorado, Georgia, Hawaii, Illinois, Indiana, Mississippi, Missouri, New Hampshire, New Jersey, New York, North Carolina, Oklahoma, Pennsylvania, Vermont, Washington. CLE credit is being sought for: Louisiana, Minnesota, Oregon, Tennessee, Texas, Virginia CLE can be self-applied for in: Florida.

Register for the webinar.

The National Association of Corporate Directors’ 2016 edition of Governance Challenges combines guidance from five strategic content partners of the NACD with broad M&A expertise. The report addresses the importance of early board engagement in strategy, the need for proactive dialogue with all key stakeholders, and the imperative to balance short-term and long-term goals throughout the M&A process.

A complimentary copy of the report is available for download.

Boards can use this new resource to:

• identify “drive and drag” factors that can advance or delay transaction results;
• monitor key aspects of the due-diligence process before approving the deal;
• understand the tax implications of a prospective transaction;
• consider exposure to risk from antitrust liability, cybersecurity challenges, and environmental liability; and
• select and retain talent and adjust compensation arrangements during the leadership change.

Download the report.

Videos of Hillary Clinton’s former aides and others giving depositions in a lawsuit related to her private email set-up will be kept secret, at least for now, a federal judge ruled Thursday, according to a report by Politico.

Josh Gerstein wrote that U.S. District Court Judge Emmet Sullivan granted a request from former Clinton Chief of Staff Cheryl Mills that the deposition recordings be kept from the public because of the potential they could be used for partisan purposes or perhaps used in attack ads against Clinton, the frontrunner for the Democratic presidential nomination.

“The public has a right to know details related to the creation, purpose and use of the clintonemail.com system. Thus, the transcripts of all depositions taken in this case will be publicly available. It is therefore unnecessary to also make the audiovisual recording of Ms. Mills’ deposition public,” the judge wrote.

Read the article.

Photo by Gage Skidmore

Democratic presidential front-runner Hillary Clinton’s use of a private e-mail system while she was secretary of state violated State Department rules, the agency’s Inspector General concluded, according to a report published by Bloomberg.

“The audit by the State Department’s independent investigator found no evidence that she requested guidance or approval to conduct official business via personal e-mail on a private server — and concluded the agency likely wouldn’t have granted the request,” wrote Billy House and Laura Litvan. “The Inspector General also faulted the State Department’s handling of electronic records and communications beyond Clinton’s tenure.”

In its conclusion, the Office of the Inspector General wrote: “Longstanding, systemic weaknesses related to electronic records and communications have existed within the Office of the Secretary that go well beyond the tenure of any one Secretary of State.”

Read the article.

Live Summit:
Thursday, June 9,
New York, NY

Registration is being accepted for Bloomberg Law’s premier legal event, the annual Big Law Business Summit in New York City, scheduled for Thursday, June 9.

The event will be at the Apella, Event Space at Alexandria Center, 450 E 29th Street in New York, NY 10016, beginning with breakfast and registration at 8:15 a.m. EDT and ending with a closing keynote and then a party at 5:50 p.m.

General Counsel News readers may attend at no charge. (Registration form)

Two of the speakers will be :

• Magistrate Judge James Orenstein, U.S. District Court (E.D.N.Y.), who recently entered the debate around the government’s ability to compel unlocking of cell phones. Bloomberg News reports, “Orenstein is the first judge to thoroughly explore what the government can and cannot access.”
• Manhattan District Attorney Cyrus R. Vance Jr., who will speak on collaborating across borders and sectors to detect and prevent cybercrimes. He recently testified before the House Judiciary Committee on default device encryption and the need for a federal legislative solution.

Register for the summit.

President Obama has signed a bill allowing companies to sue to defend their trade secrets, reports USA Today. Those thefts cost the American economy more than $300 billion a year, according to the Commission on the Theft of American Intellectual Property.

“The Defend Trade Secrets Act of 2016, sponsored by Sen. Orrin Hatch, R-Utah, adds a civil component to the federal law making it a crime to steal intellectual property,” the newspaper report says. “Lawmakers said criminal penalties remain an important deterrent, but that the FBI’s resources to investigate and prosecute trade secret theft are limited.”

“Unfortunately, all too often, some of our competitors, instead of competing with us fairly, are trying to steal these trade secrets from American companies, and that means a loss of American jobs, a loss of American markets, a loss of American leadership,” Obama said.

Read the article.

Atlanta-based LabMD was a successful company that tested blood, urine, and tissue samples for urologists, and had about 30 employees and $4 million in annual sales. Then one day in 2008, the company’s general manager received a phone call from a man who claimed to be in possession of a file containing LabMD patient information, including more than 9,000 Social Security numbers, reports Bloomberg.

Then came the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information — at a cost of about $38,000. After some back-and-forth, LabMD told Tiversa to direct all communication through its lawyers. Then the Federal Trade Commission came calling.

LabMD’s woes could end up finishing off the once-promising business.

Read the article.

According to Grant Gross from IDG News Service, the banking document record leak now are known as the Panama Papers included 11.5 million confidential documents dating from the 1970s through to late 2015 — 4.8 million emails, 3 million database format files, 2.2. Million PDFs, 1.1 million images and 320,000 text documents. All of these documents were from Panama Law Firm Mossack Fonseca.

Allegedly these leaked documents reveal how dozens of high-profile professionals including public officials in countries including the U.K., France, and China have hidden their wealth abroad to avoid paying taxes, ContractRoom reports on its website.

What is clear is that if indeed these files were hacked from emails or off the server of Mossack Fonseca, this firm was not using a Cloud platform with proper security and encryption to store their documents. It appears they were using an on-site server.

Read the article.

The State Department has agreed to a conservative legal group’s request to question several current and former government officials about the creation of Hillary Clinton’s private email system, reports the Associated Press.

A judge granted the group, Judicial Watch, limited discovery to ask the officials why Clinton relied on an email server in her New York home during her tenure as secretary of state.

If the judge approves of the agreement, lawyers from Judicial Watch will be allowed to depose Clinton’s top aides, including former chief of staff Cheryl D. Mills, deputy chief of staff Huma Abedin and undersecretary Patrick F. Kennedy, the report says.

Read the report.

Josh Stark, lawyer and head of operations and legal at blockchain consulting firm Ledger Labs, comments in an opinion piece on CoinDesk on “smart contracts” as an alternative form of legal agreement, speculating on how they could come to impact his industry.

“Banks, exchanges, and other financial institutions are actively developing blockchain technologies that will enable them to store and trade real assets over blockchain systems. Nasdaq, in partnership with blockchain startup Chain, has developed and begun testing a private-market equity trading platform,” he writes.

“The impact will not be limited to financial contracts, although these are the most obvious use cases. As techniques are developed that enable other types of property to be recorded and transacted on a blockchain, the possible applications for smart contracts will multiply,” he adds.

Read the article.