Microsoft sued the U.S. government Thursday, arguing that a law that can prohibit technology companies from telling customers when law enforcement comes looking for their data is unconstitutional, reports The Seattle Times.

This action is seen as the latest high-profile challenge to the reach of law enforcement into cyberspace, following Apple’s fight against an FBI order to disable an encryption measure on an iPhone connected to the San Bernardino mass shooting.

“When law-enforcement agencies get a warrant to grab email or other data stored online, they can request a court order to bar Internet service providers from informing the user their documents were seized,” the report says. “Microsoft said it has received about 5,600 federal demands for consumer data in the past 18 months, almost half accompanied by such gag orders.”

Read the article.

The FBI’s upcoming interview of Hillary Clinton will be a turning point in the race for Democratic nominee, especially since Clinton won’t be able to speak to FBI director James Comey and his agents in the same manner her campaign has communicated with the public, writes H.A. Goodman in the Huffington Post.

The questions could include: “Why didn’t you know that intelligence could be retroactively classified?” and “Did President Obama or his staff express any reservations about your private server?”

Others could include: “How was your private server guarded against hacking attempts?” and “What was the political utility in owning a private server and never using a State.gov email address?”

Read the article.

By Amy Terry Sheehan and Jill Abitbol
The Cybersecurity Law Report

Law firms store a wealth of sensitive and confidential information electronically, making them prime targets for hackers. Not only does weak data security affect business development and client retention for firms, but can result in legal and ethical violations as well. How can firms meet clients’ increasing data expectations? How can clients determine how robust their current and potential firms’ systems are? What mistakes are law firms making? John Simek, vice president and co-founder of cybersecurity and digital forensics firm Sensei Enterprises, Inc., answered these and other questions about law firm data security in a conversation with The Cybersecurity Law Report. See also “Sample Questions for Companies to Ask to Assess Their Law Firms’ Cybersecurity Environment” (Jun. 17, 2015).

CSLR:  What are the specific cybersecurity threats that law firms currently face?

Simek:  Probably the most prevalent threats that we’re seeing now, and not necessarily targeted ones, involve ransomware. At the end of last year, in the northern Virginia area alone, there were four law firms that got hit with ransomware attacks in just one month.

The key is for firms to make sure that their backups are engineered properly to recover from a ransomware infection. Then they are in a position to restore their data without having to pay the ransom. Of those four law firms that were hit with ransomware at the end of last year, two were engineered correctly and two were not.

[See “How to Prevent and Manage Ransomware Attacks” Part One (Jul. 15, 2015); Part Two (Jul. 29, 2015).]

CSLR:  What do you recommend to firms that have not yet proactively engineered proper backups?

Simek:  I tell solo practices and small firms, which tend to use external hard drives for backup, to disconnect that device after they’ve done their backup. That way, in the event their system gets infected, it won’t impact their backup. If their external drive is still connected to their computer, and their computer gets infected, their backup is going to get infected too. It’s a very simple thing. There’s no cost to doing that. It’s just a procedural piece.

I recommend hardware-based backup solutions for mid to larger firms. Hardware-based, also called agent-based, backup is not seen as a drive letter or a network share. The data is moved via software to the backup device.

CSLR:  Do you recommend that firms use cloud backups?

Simek:  Cloud backups are good as well. The key in cloud backups, and particularly for attorneys because of their ethical duties to protect the confidentiality of the data, is to select a cloud solution where the firm can control the encryption key. Not all backup solutions and cloud solutions will allow users to do that.

Carbonite, which is used by a lot of solo to mid-sized firms, allows users to define the encryption key themselves. Some cloud providers do not want users to do that because they fear that if the user forgets the encryption key, their backups will be useless. Although that is certainly a possibility, if a firm is planning to use a cloud-based backup, it will want a provider that allows it that control.

OneDrive, for example, does not allow users to define what that encryption key is. So that means that Microsoft can decode data stored in the cloud if it wanted. With Apple iCloud, Apple also can decode backup content. Apple actually can read iMessages and related content, even though it’s stored encrypted.

From an attorney’s perspective, the ability to define the encryption key is a crucial differentiator, and something they should look for in a cloud solution.

[See “Implementing an Effective Cloud Service Provider Compliance Program” (Nov. 25, 2015).]

CSLR:  In addition to the backups, what other steps should law firms currently be taking to address security threats?

Simek:  Training employees is crucial. Phishing attacks, such as emails where someone is trying to get an employee to wire money to a foreign bank, make up a large percentage of threats. The solution there – and firms tend not to want to do this – is to train employees. The people are the problem. An email message that has a malicious attachment or a malicious link in it won’t have any adverse effect unless someone clicks on it.

Firms have to educate their employees because all of the technology in the world is not going to prevent an attack. Threat actors may be smarter than the current security technology. They may be using malware that nobody has ever seen before, and your firm may be the first kid on the block to get it.

Threat actors can also get information from court filings, which are public record. Somebody can jump on Pacer and find out the name of the case and the attorney of record. They can then send an email message that purports to come from the attorney of record using a bogus email address or a fake domain and say “Here’s an updated complaint in such and such a case.” The receiving attorney will recognize the email and click on the attachment. Through training, firms can teach employees how to recognize and prevent these types of situations.

[See “Designing, Implementing and Assessing an Effective Employee Cybersecurity Training Program (Part Two of Three)” (Mar. 2, 2016).]

CSLR:  What about firms that are reluctant to invest in training because it is non-billable?

Simek:  Well, it can cost them so much more to clean up and recover from an infection, even if it’s reputational damage, than it would to educate their employees.

We see the larger firms now starting to invest more money in preventing threats. They’re beginning to see the value of what that training can do.

Some firms have gone so far, and I think this is good, as to test their employees by sending intentional phishing messages to see how many people click on what. Employees are then scored and the firm uses those scores to evaluate whether certain employees need one-on-one education.

CSLR:  Are there any other important security measures that firms should be taking?

Simek:  Patching vulnerabilities and updating are two important measures. The number one reason that firms get compromised is they are not applying patches. When you don’t patch your operating systems or your software, you’re susceptible. It doesn’t cost much to do that.

The second reason is use of outdated software. Firms don’t want to spend money to update and this makes them vulnerable to attacks. They’re still running Windows XP, which is not supported. They’re still running Internet Explorer. Internet Explorer 10 and below are no longer supported. I don’t know if a lot of law firms know that yet. There was an article several years in The New York Law Journal that said that continued use of Windows XP is unethical. So, firms have to upgrade their software and they have to spend money to do that.

CSLR:  What should clients expect from a law firm and would you say that client expectations are a driver for change?

Simek:  Client expectations are definitely a driver. Law firms would be reluctant to spend money on security unless clients were expecting it. The firms that are more advanced with security and related certifications will even use that as marketing plug.

We are starting to see clients hand prospective or current firms an IT security assessment, or some sort of questionnaire, and ask them to complete and submit it as a condition of their provision of legal services to the company. Depending on the client or the firm, the client may require an independent third-party audit.

So yes, definitely, it’s the clients that are driving change and enforcing it primarily through these audits.

[See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties” Part One (Apr. 8, 2015); Part Two (Apr. 22, 2015).]

CSLR:  Are companies treating law firms like any other third-party vendor in terms of the security audit or vetting questionnaire?

Simek:  It depends, I think, on the industry and who the client is. The questionnaire or audit can be very targeted, and maybe even more stringent, for law firms because the data that companies are giving to the law firm may be extremely valuable. This is not payroll data. This is not somebody that’s just cranking out W2s for the company, for instance. This is patent information, merger and acquisition information and other confidential data. Depending on the value of the information, the client may be a lot harder on the law firm than they would on some other third-party provider.

CSLR:  How does the completed questionnaire or audit get used by the client and/or the law firm?

Simek:  The results of the audit might demonstrate to the law firm that it is deficient in certain areas of security and it might then communicate its plan to remedy those deficiencies to the client. Especially if it’s a larger client, firms want to do what they can to keep them.

CSLR:  What certifications should law firms have in place?

Simek:  I think it depends on the size. Big firms are obtaining ISO [International Standards Organization] 27001 certification, which costs a lot of money and takes a lot of time. The mid to smaller firms are not going to be able to afford to do that but there are other things that they can do, like self-certification. NIST [National Institute of Standards and Technology] has small business standards that firms can follow, which will at least help assess their infrastructure, and whether they have any weaknesses and whether the assistance of a third-party is needed.

CSLR:  Is data security handled differently depending on practice area?

Simek:  It can be. It depends on the value of the data. Whether it is a law firm or a corporation, a risk assessment needs to be conducted to determine the value of the data being held and the risk of losing it. That information will define how much the firm is going to spend or what efforts the firm is going to make to protect the information or mitigate risk.

CSLR:  When is it appropriate for lawyers to use encryption in their communications?

Simek:  We’re at the stage now where every lawyer should at least have encryption capability, which includes the ability to encrypt communications and the ability to encrypt data at rest (for instance, when putting data on a flash drive).

Encrypted communication is easier today than it used to be. There are now many services that actually manage the encryption communication mechanism. Voltage and Zix are two such services. It can be as simple as clicking on a button in Outlook that says “Encrypt and Send.”

To save money, we advise smaller firms that only need to communicate in encrypted form once in a while to put the confidential information into a Word document, and then password protect that Word document. The password protection encrypts it. This can also be done using Adobe Acrobat or a WinZip file. The confidential information can then be sent as an attachment, and a separate communication would be used to transmit the password.

Firms that receive medical information or PII that falls under HIPAA may use Zix, but they can have the filter set to recognize any medical information or PII content, and then the service will automatically encrypt that message to send it.

CSLR:  Are clients being more selective about the data that they’re giving to the law firms in the first place?

Simek:  Not really. They’re not withholding the data. They’re just asking and making sure that the law firm is prepared to receive it and to properly protect it. Absent that assurance, there’s the likelihood the client will find another law firm.

CSLR:  What types of remote access or mobile device policies should law firms have in place?

Simek:  For anything related to the data the firm holds or the firm’s infrastructure, employees should know what is expected of them, what they should do, what they are allowed to do, and within what boundaries. This would require policies on remote access, computer usage, social media, internet usage, email, bring your own device, bring your own network and bring your own cloud.

The necessary policies are unique for every firm depending on the type of practice and type of attorneys. There is no template. To be effective, the policies need to be customized for every firm.

[See “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies” Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).]

CSLR:  What is the biggest challenge you face when you are asked to respond to an incident?

Simek:  Capturing data. The number one thing that we run into when we respond to these things is that there is minimal logging, if any, going on. Nobody had the foresight to configure their devices or their systems to capture information on an ongoing basis. That’s a killer for the investigations.

CSLR:  Why are lawyers or firms not configuring their devices or systems to capture information?

Simek:  Because the default is not to. All these devices, systems and applications have the ability to capture information but it’s not turned on by default.

CSLR:  In the event of a security incident, when and how should a law firm contact its clients?

Simek:  You just hit on a real touchy nerve. If you ask a lawyer or a managing partner, they’ll say they never want to tell the clients. However, 47 states have data breach notification laws. The unfortunate part is that most lawyers don’t want to conform to them, even if they’re legally bound to. They’re also ethically bound to notify clients of a data breach.

But whenever a law firm gets breached, the argument I always get is “Well, but we don’t know with 100% certainty what data was accessed.” Yeah, that’s true. You don’t know with 100% certainty, but you’ve got a pretty good idea. And in some cases, when there is notification of clients, the clients aren’t anxious for the breach to be made public.

In some instances, the client will insist on contract terms that set forth the number of days or hours within which they should be notified of an incident.

[See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).]

CSLR:  Have clients and law firms been able to get to a place where both sides are comfortable on the data security issue?

Simek:  It has been a wake-up call for a lot of firms. We are seeing firms use client surveys and audits to detect and remedy security deficiencies. By doing that, they are maintaining client relationships.

© 2015 – 2016 The Cybersecurity Law Report. All rights reserved.

Hogan Lovells announced that Julie Brill, a Commissioner at the U.S. Federal Trade Commission (FTC), will join the firm’s Washington, D.C. office as a partner and co-director of the Privacy and Cybersecurity Practice on April 1. Her FTC service will conclude on March 31.

As co-director of the Privacy and Cybersecurity practice, Brill succeeds co-director and founding partner Christopher Wolf, who will transition to a senior status at the firm. She will be joined in leadership with Marcy Wilder, co-director of the Privacy and Cybersecurity practice; Harriet Pearson, leader of the firm’s Cybersecurity Solutions Group and Cyber Risk Services business unit; and Eduardo Ustaran, a partner in the firm’s London office, and leader of the firm’s European data protection practice.

“Julie’s keen intelligence and reservoir of knowledge about privacy and data security law, combined with her commitment to consumer privacy, make her a natural leader for our privacy practice,” the firm said in a release. “She is renowned as a global leader in privacy law and public policy, and is widely-recognized for her distinguished work at the FTC. We are confident she will build upon her years of experience to provide exemplary client service and practice leadership.”

Brill was appointed to the FTC by President Obama and unanimously confirmed as a commissioner in 2010.

Prior to serving on the Commission, she was an Assistant Attorney General in North Carolina and Vermont for more than 20 years. Before joining the Vermont Attorney General’s office, she was an associate at a New York law firm.

Brill earned her B.A. from Princeton University magna cum laude, and her J.D. from New York University School of Law, where she had a Root-Tilden Scholarship for her commitment to public service.

In last night’s Democratic debate, Hillary Clinton dismissed a question about whether she would resign if indicted for mishandling classified information, saying “Oh for goodness … that’s not going to happen. I’m not even answering that question.”

A report by Christian Science Monitor staff writer Peter Grier addresses the question: Is Clinton right to be so dismissive?

“On the one hand, the FBI investigation of the issue could be a shield for Clinton,” Grier writes. “If she isn’t indicted, she can use that fact as an all-purpose dismissal. Something along the lines of, ‘The feds found no problem here, so move along, move along.’ ”

But Republicans will keep the issue alive, he adds, pointing to two new lawsuits seeking access to Clinton’s State Department communications.

Read the article.

The U.S. Department of Justice filed a legal response on Thursday to Apple’s refusal to help the FBI unlock an iPhone used by one of the San Bernardino shooters, and Apple quickly responded, with general counsel Bruce Sewell delivering a tense and angry response in a conference call with reporters, reports Business Insider.

Sewell called the DOJ response a “cheap shot” and said that its tone “reads like an indictment.”

He was responding to the DOJ’s claim that “Apple’s rhetoric is not only false, but also corrosive of the very institutions that are best able to safeguard our liberty and our rights … .”

Read the article.

Companies’ increased awareness of the substantial costs and exposure associated with data breaches has motivated them to beef up their data security requirements in vendor contracts, write Emily R. Lowe and Susan Milyavsky of Morgan Lewis & Bockius in an article posted on Lexology.com.  They write that companies should consider some basic issues that frequently arise when negotiating data security provisions.

“Because customers want the maximum protection, vendors should carefully consider how broad a requested representation is. It’s a balancing act, because vendors need to be able to be able to provide certain security controls to win business, but they also need to also understand the difference between providing an adequate degree of protection for their customers and an insurance policy,” the authors explain.

And cyber-liability insurance may be a mechanism for a company to mitigate its exposure with respect to damages associated with security breaches.

Read the article.

While most corporate counsels are still trying to figure out what the Cybersecurity Act of 2015 (CSA) does for them, Rob Knake, a Senior Fellow for Cyber Policy at the Council on Foreign Relations, discusses five ways the U.S. Congress can make the law better during 2016.

He  wrote the article for Defense One.

In the article, he provides details on his five suggestions: Antitrust may have gone too far (or not far enough), whether Internet Service Providers are “information systems,” benefits of letting the Department of Defense establish information sharing programs with defense companies, classified sharing requires a classified network, and It may undermine sharing.

Read the article.

Photo by Gage Skidmore

The revelation that the Justice Department has granted immunity to a former State Department staff member who worked on Hillary Clinton’s private email server is a likely indication that the investigation is nearing a conclusion, reports The Washington Post, but should not be read as a sign that the leading Democratic presidential candidate is going to face criminal charges, legal experts said.

“That Bryan Pagliano — a 2008 presidential campaign worker who set up the server in Clinton’s home — will avoid charges as he cooperates with FBI agents is a significant, if incremental, development, according to former federal prosecutors and white-collar defense lawyers who have been following the case,” the report says.

The granting of immunity to Pagliano “could be an indication that agents and prosecutors are winding down an inquiry that will not result in charges, said Justin Shur, a former deputy chief of the Justice Department’s Public Integrity Section who now works in private practice at the MoloLamken firm,” the Post report continues.

Read the story.

FBI Director James Comey told a congressional panel on Tuesday that a final court ruling forcing Apple Inc. to give the FBI data from an iPhone used by one of the San Bernardino shooters would be “potentially precedential” in other cases where the agency might request similar cooperation from technology companies, reports Reuters.

Comey’s remarks at the hearing vary slightly from a statement he made last week that ordering Apple to unlock the phone was “unlikely to be a trailblazer” for setting a precedent for other cases.

“Tuesday’s testimony from Comey and remarks before the same U.S. House Judiciary Committee by Apple’s general counsel, Bruce Sewell, brought to Congress a public fight between Apple and the government over the dueling interests of privacy and security that has so far only been heard in the courts,” Reuters says.

Read the story.

The computers at Hollywood Presbyterian Medical Center have been down for more than a week as the Southern California hospital works to recover from a Ransomware attack, reports CSO.

Officials at HPMC said they’re cooperating fully with the Los Angeles Police Department and the FBI in an effort to discover the identity of the attackers. But for now the network is offline and staff are struggling to deal with the loss of email and access to some patient data, the report says.

“The type of Ransomware responsible for shutting down the hospital remains unknown, but one local computer consultant said the ransom being demanded was about 9,000 BTC [Bitcoin], or just over $3.6 million dollars,” according to the report.

Read the article.

Information governance (IG) is nearly impossible to achieve but is a goal worth pursuing to protect the privacy of sensitive data and ensure organizations can meet discovery requests, according to a panel at the LegalTech show in New York.

Teri Robinson, associate editor of SC Magazine reported on the panel discussion.

“To create a legally defensible IG strategy, companies must understand where information resides as well as who has the data, how to get at it and how quickly legal can get at it during discovery,” she wrote.

Read the article.

HSBC says it “successfully defended” an attack on its online banking system on Jan. 29 but services were disrupted on a key day for many people’s personal finances, reports The Guardian.

HSBC customers were locked out of internet banking for several hours after the company was targeted by online criminals in a denial of service attack.

The bank said it was working with the authorities to “pursue the criminals responsible.”

Read the article.

By Rob Scott
Scott & Scott

I am a technology attorney representing financial institutions in transactions with service providers. The Gramm-Leach-Bliley (GLB) Act is a federal law that requires financial institutions take steps to ensure the security and confidentiality of customer data. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) requires financial institutions under its jurisdiction to safeguard customer records and information. This requirement is known as the Safeguards Rule.

The Safeguards Rule applies to organizations that are significantly engaged in providing financial products or services to consumers, including check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and retailers that issue credit cards to consumers.

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must among other things, select appropriate service providers and require them (by contract) to implement the safeguards.

From a transactional perspective, the Safeguards rule requires due diligence to insure that all service providers are “appropriate.” Once a service provider has been selected, appropriate contract language must be added in order to be in compliance with the Act.

Pursuant to Section 501(b) of GLBA, financial regulators have published the Interagency Guidelines for Establishing Information Security Standards and have established audit protocols to gauge compliance during routine audits.

Service Provider Definition

Under the regulations, a service provider is any party that is permitted access to a financial institution’s customer information through the provision of services directly to the institution. Examples of service providers include a person or corporation that tests computer systems or processes customers’ transactions on the institution’s behalf, document-shredding firms, transactional Internet banking service providers, and computer network management firms.

Overseeing Service Providers

The Security Guidelines establish specific requirements that apply to a financial institution’s contracts with service providers. An institution must:

• Exercise appropriate due diligence in selecting its service providers;
• Require its service providers by contract to implement appropriate measures designed to meet the objectives of the Security Guidelines; and
• Where indicated by its risk assessment, monitor its service providers to confirm that they have satisfied their obligations under the contract described above.

Sample Language for Monitoring and Oversight

Here is the language I like to use to make sure that the financial institution is in compliance with the requirement to oversee the service provider.

Use of Subcontractors. Vendor may use subcontractors in connection with this agreement provided that Vendor’s use of subcontractors is in compliance with the requirements set forth in 501(b) of GLBA. Upon request Vendor must certify that its vendors and subcontractors are in compliance with GLBA.

Oversight. Upon request, Vendor shall provide BANK with copies of audits, summaries of test results, or equivalent evaluations to confirm that Vendor is in compliance with its obligations under GLBA.

Requiring Service Providers to Implement Appropriate Security Measures

The contract provisions in the Security Guidelines apply to all of a financial institution’s service providers. After exercising due diligence in selecting a company, the institution must enter into and enforce a contract with the company that requires it to implement appropriate measures designed to implement the objectives of the Security Guidelines.

In particular, financial institutions must require their service providers by contract to:

• Implement appropriate measures designed to protect against unauthorized access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and
• Properly dispose of customer information.

Sample Language for Safeguards Rule

I use this language to make sure that that the service provider is contractually bound to implement appropriate measures.

Compliance With Laws. Vendor represents and warrants that the Services will be performed consistent with all applicable laws, rules and regulations, and that it will promptly re-perform at its expense any Services that fail to meet that standard. Vendor acknowledges that BANK is subject to the GLB Act, Title V, (“GLBA”) and that Vendor is considered a service provider under GLBA. During the term of this agreement, Vendor shall have, adequate administrative, technical, and physical safeguards designed to protect against unauthorized access to or use of customer information maintained by it or its subcontractors or vendors that could result in substantial harm or inconvenience to BANK or any customer, as set forth in GLBA to (i) ensure the security and confidentiality of such BANK Data; (ii) help protect against any anticipated or reasonably likely threats or hazards to the security or integrity of such BANK Data; (iii) help protect against unauthorized access to or use of such BANK Data; and (iv) ensure the proper disposal of BANK Data.

Incident Response Rule

In addition, the Incident Response Guidance requires a service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible following any such incident.

Sample Language for Incident Response

Here is the sample language I like to use to use for the incident response rule.

Incident Response. Vendor will take appropriate actions to address incidents of unauthorized access to BANK’s customer information, including notifying BANK as soon as possible following any such incident.

When representing financial institutions in transactions with service providers, it is critically important to understand the regulatory framework and how it impacts the transaction. I rarely see vendor contracts that comply with these regulations. Failure to comply with the GLBA safeguards rules and contracting requirements with services providers can result in adverse audit findings by regulators and potentially increase liability for privacy and security claims for damages.

Board members are now facing lawsuits after large-scale cybersecurity breaches because the security breakdowns are considered a failure to uphold fiduciary duties, reports CIO.com.

Department of Justice guidelines for cybersecurity awareness provide some idea of what should be shared with board members. “The CIO now has a responsibility to communicate the cybersecurity strategy to board members and make them aware of critical risks to help avoid personal liability,” CIO.com says.

“Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the Board. However, at a minimum, the Board should understand how cybersecurity failures can impact the business.”

Read the article.

eSignLive has published a white paper that’s designed to help secure the enforceability of electronically signed contracts and agreements.

“Today, businesses of all sizes are moving their customer transactions to the web. As the adoption of electronic signature technology grows, so does the number of e-signature solutions in the market,” the company says on its website. “Because these solutions are all ‘ESIGN/UETA compliant,’ you may think they will all provide the same level of enforceability in the event of a dispute. This is false.”

“Using an electronic process to capture a customer’s signature provides stronger evidence than is possible with paper and more importantly, has been proven to reduce the risk of legal disputes. But what exactly is “electronic evidence”? What are the best practices for capturing and archiving all the digital fingerprints that customers leave when they transact with you online? How can this evidence help enforce e-contracts? And how can you use it to avoid going to court altogether?”

The white paper, which can be downloaded, presents the recommendations of three legal experts: Pat Hatfield and Greg Casamento, partners at Locke Lord LLP, and Frank Zacherl, litigator and partner at Shutts & Bowen LLP.

Download the white paper.

In 2016, people are the targets: from email and web to social media and mobile apps, attackers will build on the successes of 2015 by developing campaigns that , according to an on-demand webinar presented by BrightTALK.

In the webinar, Patrick Wheeler, director, Threat Security at Proofpoint, addresses the shift to increasingly targeted attacks on people behind the devices.

Participants can learn how to:
• Take measures to secure data
• Effectively track incidents and remediate incidents
• Report out on compliance status

Watch the on-demand webinar.

InformationWeek has posted a free on-demand webinar reviewing key industry cyber security trends affecting financial institutions and methods of preventing and responding to a breach.

“If you’re like most financial institutions, you have controls that identify breaches, but need proper procedures that’ll enable you to recover from such an event,” InformationWeek says on its Bank Systems & Technology site. “In addition, you now face regulatory guidance for developing cyber resilience within your security program. Your ability to respond quickly to cyber security incidents is critical to limiting the impact of a breach on your operations.”

The webinar discusses the current threats across the financial marketplace and explore strategies for implementing a successful incident response program as outlined in the Federal Financial Institutions Examination Council’s cyber resilience guidance.

Watch the on-demand webinar.

Bank Info Security is promoting a free webinar on avoiding phishing: unauthorized access to corporate and organizational networks that has cost businesses millions of dollars.

The webinar is scheduled for two presentations: Tuesday, Dec. 22, 2015, at 1:30 p.m. EST, and Tuesday, Jan. 6, 2016, at 3:30 p.m. EST.

PhishMe COO Jim Hansen will draw on his 25 years in law enforcement and IT security to discuss:

• Conditioning employees to identify and avoid phishing attacks
• Empowering users to quickly and easily report suspicious emails
• Analyzing suspicious emails to provide contextual real-time attack intelligence
• Attack case studies & attacker technique analysis

Register for the webinar.