How Cybersecurity Fits into Your Compliance and Ethics Program

“Cybersecurity wasn’t necessarily a significant issue for in-house counsel 10-15 years ago. But now, companies have so many more obligations regarding information security and data privacy than they did even a decade ago,” writes Theodore F. Claypoole in The National Law Review.

“Initially, cybersecurity was an issue primarily for regulated companies. Then, companies with widespread consumer contact found themselves having to meet greater regulatory burdens. Today, though, cybersecurity is an issue for virtually every company, and it is important those efforts fit into a corporate compliance and ethics program.”

Read the article.




Goodwin Procter Hit by Data Breach Through Vendor

“Goodwin Procter LLP suffered a data breach after a vendor that it uses for large file transfers was hacked, according to an internal memo obtained by news outlets,” reports Lawyer Monthly in their Legal News.

“The memo, circulated on Tuesday by managing partner Mark Battencourt, said Goodwin was notified of the security issue on 22 January and immediately stopped using the service. The firm also retained the services of a third-party forensic expert an launched an investigation into the breach.”

“‘Our investigation revealed a small percentage of our clients may have experienced unauthorized access to or acquisition of confidential material’ on 20 January, Battencourt said in the memo. ‘Clients whose data may have been directly impacted as a result of this matter have been notified, and we have also communicated the security incident to all firm clients.'”

“The investigation also revealed that ‘only a few Goodwin employees were affected’ by a breach, all of whom had also been notified. The memo added that none of the firm’s resources appeared to have been impacted other than the file transfer service.”

Read the article.




Zoom Reaches Settlement with FTC Over Misleading Security Practices

“The Federal Trade Commission reached a settlement with Zoom to resolve allegations that the company engaged in misleading security practices. The use of the videoconferencing platform skyrocketed during the pandemic, particularly in the healthcare and education sectors, which spotlighted its security risks,” reports Jessica Davis in Health IT Security’s Cybersecurity News.

“The settlement requires Zoom to establish and implement a comprehensive security program and prohibits the vendor from misrepresenting its privacy and security, as well as other ‘detailed and specific relief to protect its user base.'”

“The Commission’s complaint alleges that Zoom made misrepresentations regarding the strength of its security features and implemented a software update that circumvented a browser security feature,” according to the FTC majority statement. “The proposed order provides immediate and important relief to consumers, addressing this conduct.”

Read the article.




DOJ Reached $46M Settlement with 5Dimes for Illegal Sports Betting

“5Dimes and the U.S. Department of Justice reached a $46.8 million settlement of an investigation into illegal US sports betting operations, as well as money laundering and wire fraud,” reports Matthew Waters in Legal Sports Report.

“The company announced an intent to enter the US sports betting market following the deal, although state regulators likely will balk at the long list of criminal activity detailed in the settlement.”

“5D Holdings and owner Laura Varela will forfeit the illegally obtained gambling proceeds as part of a settlement with the US Attorney’s Office Eastern District of Pennsylvania into the criminal investigation of 5Dimes’ offshore operations in Costa Rica.”

Read the article.




Facebook Brings Suit against Developers of a Browser Extension That Harvested User Data

Facebook brought suit against two marketing analytics firms alleging the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms … “(including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms,” reports Jeffrey Neuburger in Proskauer.

“According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become ‘panelists’ impacting marketing strategies of large companies.”

Read the article.




State Gets $1.9 Million as Share of Data Breach Settlement

“Kentucky will receive more than $1.9 million as its share of a settlement with a company over a data security breach that compromised the personal information of 78.8 million Americans,” reports Steve Rogers in WTVQ’s Local News.

“Anthem, Inc. agreed to pay $39.5 million to 43 states and the District of Columbia. Kentucky will receive $1,929,942.02. In addition to the payment, Anthem has also agreed to a series of data security and adequate governance provisions designed to strengthen its practices going forward, according to Attorney General Daniel Cameron, who announced the settlement.”

Read the article.




Fake Websites for Four Biglaw Firms Might Have Been Created to Get Deal Information

“Fake websites for four large law firms created in 2008 might have been part of an attempt to get insider information on pending Wall Street deals, according to newly declassified FBI documents,” reports Debra Cassens Weiss in ABA Journal’s Cybersecurity News.

“The targeted law firms were Greenberg Traurig; Sullivan & Cromwell; Wachtell, Lipton, Rosen & Katz; and Cravath, Swaine & Moore.”

“Sullivan & Cromwell told the FBI that it thought the scammer was trying to intercept email with information about mergers and acquisitions.”

Read the article.




Facebook’s $550 Million Settlement In Facial Recognition Case Is Not Enough

Lawyers for Facebook are “trying to convince a judge they should be allowed to settle a class action lawsuit that accuses the company of violating users’ privacy,” reports Bobby Allyn in NPR’s Technology.

“Facebook agreed earlier this year to pay $550 million to settle the case, which claims that the tech giant illegally used facial-recognition technology in its ‘tag suggestions’ service.”

“The deal was the largest-ever payout as the result of a class-action lawsuit alleging online privacy violations.”

“…under the settlement, people who have had their face data harvested in Illinois are expected to receive checks of just $150.”

“U.S. District Judge James Donato of California, who is overseeing the case, says that payout is woefully inadequate.”

Read the article.




Texas Courts Hit by Ransomware Attack

“Texas courts shut down websites and disabled servers late last week in response to a ransomware attack, the Office of Court Administration announced Monday,” reports Dave Boucher in The Dallas Morning News’ Courts.

System administrators discovered early Friday that hackers had taken over at least a portion of the statewide court network and demanded some form of ransom in return for restoring control. In a statement, the administration said the attack began “in the overnight hours” the same day it was discovered.

The state did not specify what exactly hackers requested or how they gained access to the system, and a spokeswoman did not return a phone call seeking comment. The court system is working with state law enforcement to investigate the breach and vowed not to pay any ransom.

The administration runs the information technology services for Texas appellate courts and state judicial agencies, including the Texas courts website.

Read the article.




Law Firm Representing Lady Gaga, Madonna, Bruce Springsteen, Others Suffers Major Data Breach

“Grubman Shire Meiselas & Sacks, a large media and entertainment law firm, appears to have been the victim of a cyberattack that resulted in the theft of an enormous batch of private information on dozens of celebrities, according to a data security researcher,” reports Todd Spangler and Shirley Halperin in Variety’s Digital News.

“The trove of data allegedly stolen from the New York-based firm by hackers — a total of 756 gigabytes — includes contracts, nondisclosure agreements, phone numbers and email addresses, and ‘personal correspondence,’ according to an image of the hackers’ post provided to Variety by Emsisoft, a cybersecurity software and consulting company specializing in ransomware.”

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list.”

Read the article.




Ten Tips on Handling a Virtual Evidentiary Hearing Before a Regulatory Agency

“A virtual hearing can be challenging for any regulatory lawyer. It requires relying on technology more than ever to advocate for clients. It can feel like talking to an empty room, even if you’re on camera. Plus it requires attorneys to get results for our clients without the benefit of interpersonal contact with the judge, commissioners or staff. However, having survived my first virtual evidentiary hearing before a state energy commission in April 2020 – and with the benefit of hindsight – it’s like everything lawyers do for the first time in our practice: It’s a challenge until you do it. And like the first oral argument we made or the first hearing we ever litigated, we learn lessons and improve each time,” writes Tara S. Kaushik in Holland & Knight’s Insights.

“We will likely face more than a few virtual hearings given the current pandemic and shelter-in-place orders. Currently, many state regulatory agencies have postponed evidentiary hearings or scheduled briefs and telephonic oral arguments to narrow the issues requiring hearings. But that can only last so long, given that utilities, power grid operators, pipelines and other energy companies have to continue doing business as essential services.

The post provides some practical tips to manage the challenges of a virtual hearing.

Read the article.




Equifax To Pay Mass. $18.2 Million In Settlement, AG Healey Announces

“Equifax will pay Massachusetts $18.2 million and change its security practices as part of a settlement between the credit reporting agency and the state stemming from a major 2017 data breach, Attorney General Maura Healey announced Friday,” reports Chris Lisinski in WBUR’s Bostonomix.

“Healey sued Equifax shortly after the company’s alleged missteps exposed personal data, including Social Security numbers and driver’s license numbers, of 147 million Americans and 3 million Massachusetts residents. The attorney general said the company also failed to notify consumers in a timely manner once the breach occurred.”

“Her office reached its own settlement with Equifax about nine months after declining to join other states in July 2019 agreements, which the attorney general told reporters allowed Massachusetts to secure a larger payment and more strict conditions on the company.”

Read the article.




Protecting Your Sensitive Information While Using Virtual Meeting Platforms

“Over the last several weeks, virtual meetings have become the new normal for many businesses. Improvements in the technology now mean that virtual meetings have a similar look and feel as in-person meetings. However, there is a much greater risk to valuable information (personal and confidential) in a virtual meeting environment. Some of these risks are associated with the data that are collected and disclosed by the provider of the virtual meeting platform itself. Others arise from inadvertent disclosures or access to virtual meeting rooms by uninvited third parties. Therefore, it is important for organizations to have policies in place that address the need for enhanced cybersecurity and data protection,” warns Kevin Pomfret from Williams Mullen in JD Supra.

“Since Zoom seems to be one of the most popular virtual meeting tools, this alert will discuss how to address these risks on its platform. However, many of these same risks are also associated with other virtual meeting platforms. As a result, it is important to review user instructions, Terms and Conditions and Privacy Policies in order to identify and implement similar protective measures for other virtual meeting services.”

Read the article.




Jeep Drivers’ Claims Come to a Screeching Halt

“On March 27, 2020, a five-year legal battle between three certified classes of Jeep Cherokee drivers and Fiat Chrysler came to a sudden end, when a federal judge in the Southern District of Illinois held that allegations that the vehicles were vulnerable to cyber-attacks did not give plaintiffs standing to sue under Article III of the Constitution,” reports Melissa D. DiGrande in Proskauer’s Appellate.

“U.S. District Judge Staci M. Yandle—who was assigned to the case in April 2019, after Judge Michael Reagan retired—did not take lightly her decision to grant defendants’ motion to dismiss for lack of jurisdiction, given the lengthy history of the dispute. Discovery had been completed, experts had been retained, and several motions involving the same standing issues had already been resolved—in plaintiffs’ favor. But, as Judge Yandle explained, a federal court has ‘an independent obligation at each stage of the proceedings’ to ensure that it has subject matter jurisdiction over the litigation. Ultimately, defendants’ persistence paid off and resulted in the full dismissal of the claims, with prejudice.”

Read the article.




The Privatization of the Fourth Amendment?

“This year may prove to be one in which the concepts of privacy vis-à-vis the government and private concerns may converge,” warns Dante A. Stella in Dykema’s The Firewall.

“In 2018, the United States Supreme Court ruled in Carpenter v. United States, 138 S. Ct. 2206 (2018), that individuals have an expectation of privacy in cell-tower locations, and consequently, the government must obtain a warrant to retrieve that location data from a carrier. The 5-4 decision held that cell tower data is subject to Fourth Amendment protections because it implicates an individual’s “legitimate expectation of privacy in the record of his physical movements.” The Court also noted that the data is “detailed, encyclopedic, and effortlessly compiled,” id. at 2216, and that functioning in modern society does not allow people to simply opt-out of using mobile devices…”

Read the article.




INSIGHT: New DoD Cybersecurity Certification Holds Key to Contracts

“Cybersecurity attacks represent a real threat to our national security and the defense industrial base. To combat these threats, the Department of Defense recently released Cybersecurity Maturity Model Certification v1.0—a conspicuous change in how cybersecurity will be viewed in the performance of DoD government contracts.”

“Cybersecurity will no longer be viewed primarily as an element of contract performance. Rather, once CMMC is fully implemented, third-party certified and mature cybersecurity practices and processes will be foundational in contracting with the DoD—without the appropriate CMMC certification, contractors will not be considered for contract awards.”

Read the article.




Malpractice Suit for Document Hack That Exposed Client Info Can Proceed

“A prominent Chinese dissident may proceed with his malpractice case against a law firm based on allegations that the firm failed adequately to protect his personal data from hackers, a Washington, D.C. district court said in an opinion on February 20.  In his $50 million suit, the plaintiff, Guo Wengui, alleges that after he retained the firm, someone (assumed to be associated with the Chinese government) penetrated the firm’s computer servers, gained access to his confidential information and published it on the Internet,” reports Karen Rubin and Tom Zych in The Law for Lawyers Today’s Malpractice.

“The district court turned back the firm’s motion to dismiss and allowed most of Wengui’s claims to go forward.  The case bears watching as cyberattacks increasingly target law firms, and legal IT teams struggle to stay one step ahead of security threats.”

Read the article.




Practical Tips for In-House Counsel From Recent Cybersecurity Decisions

“The possibility of a cybersecurity incident—and ensuing litigation—is a fact of life for almost every business. Even companies that do not process or handle consumer information collect personal information about their employees that can be targeted by hackers or phishing scams or even inadvertently disclosed, exposing the company to potential liability,” warns Seth Harrington, Michelle Visser and David Cohen in Orrick’s blog.

“While eliminating cybersecurity litigation risk entirely likely is not feasible, recent cases do highlight some steps that companies seeking to reduce potential exposure to cybersecurity litigation can take:
(1)  Recognize that pre-incident statements about the company’s cybersecurity measures can be used to sustain deception-related claims.
(2)  Assess the “reasonableness” of your cybersecurity, despite the difficulty of doing so.
(3)  Pay attention to how you structure cybersecurity initiatives to protect related documents and communications based on the attorney-client privilege and work product protection.
(4)  Recognize that your statements about a cybersecurity incident may be relied on by courts to sustain plaintiffs’ claims.
(5)  Consider arbitration clauses, but do so cautiously.
(6)  Consider opportunities to contractually allocate or disclaim liability.”

Read the article.




Threat From Within: Inside Counsel’s Role In Defending Against Data Breaches

“While organizations make significant investments in protecting their data from outside infiltration, they can often overlook the serious threats that exist within their own workforce. According to a 2020 study released by the Ponemon Institute, the biggest threat in terms of disclosure of sensitive information comes from so-called “insider threats,” in the form of employees who disclose protected information or provide a means of access to that information to third parties, either unwittingly or otherwise. That threat has only grown in recent years, increasing by 47% in the last two years alone,” reports Risa B. Boerner in Fisher Phillips Newsletters.

She further breaks down her article into the following sections:

  • The Costs Can Be Staggering
  • Why The Recent Surge?
  • First Steps: Awareness + Training
  • Advanced Tactics

Read the article.




Ransomware Attacks Hit Three Law Firms in Last 24 Hours

“Five U.S. law firms — three in the last 24 hours — have been among the companies and organizations targeted by a new round of ransomware attacks. In two of the cases, a portion of the firms’ stolen data has already been posted online, including client information.” reports Robert J. Ambrogi in LawSites blog.

“Hackers have stolen data from at least five law firms, using the threat of releasing the data to extort payment from the firms, Callow said. In the two cases in which hackers already posted law firm data, they published it on the clear web where it can be viewed by anybody.”

Read the LawSite’s article.