Chad King of King & Fisher in Dallas offers some timely advice on how companies can protect their information systems in an environment in which it is becoming increasingly difficult to stay ahead of cyber intruders.

He begins by recounting the story of how anti-virus and security company Kaspersky Lab was alleged to have been cooperating with the Russian Federal Security Service (FSB), the name of the Russian counterintelligence agency and successor of the KGB, since 2009. The U.S. federal government mandated that all software made by Kaspersky Labs be removed from government computer systems. Retailers such as Best Buy are also taking steps to remove Kaspersky Labs products from their retail offerings.

“Although it’s unlikely we will ever have a definitive answer about whether Kaspersky Labs is gathering data for the Russian FSB, this incident highlights a growing concern that foreign governments might be collaborating with software and hardware companies to spy on other governments, corporate enterprises, and consumers. How can companies protect themselves in this environment?

His article offers five points to consider to deal with the threat.

Read the article.

Join Our LinkedIn Group

Los Angeles Times reporter James Rufus Koren examines the question: Did three Equifax executives, including the chief financial officer, engage in insider trading when they sold thousands of shares in the days after the company discovered a massive security breach?

“The credit bureau has publicly stated the executives were unaware of the hack at the time of the sales, but the size of breach and timing of the trades has nonetheless stirred suspicion,” writes Koren.

SEC filings show that three days after the company discovered a massive hack had stolen information of up to 143 million consumers in Equifax’s files, the CFO and the president of a business unit sold more than 10,000 shares. The next day, the president of another business sold some shares. All shares sold for about $146 each.

When Equifax announced the hack weeks later, the stock closed down about 16% from the time the executives sold stock, Koren writes. The company has said the executives did not know about the hack at the time of the sales.

Read the LA Times article.

Join Our LinkedIn Group

Sidley Austin LLP announces that Wim Nauwelaerts has joined the firm as a partner in its Brussels office. He will be a member of Sidley’s global Privacy and Cybersecurity practice.

In a release, the firm says Nauwelaerts has almost 20 years of experience in privacy and data protection matters.

The release continues:

He advises companies on all aspects of EU and international data protection and privacy compliance, including preparation for the EU General Data Protection Regulation (GDPR), data transfer strategies, data security and breach requirements, and compliance training. He also assists clients with contract negotiations and represents them before supervisory authorities. While Mr. Nauwelaerts counsels clients in a variety of sectors, he has particular experience with life sciences, technology and new media clients.

“We have seen tremendous growth in our European data protection practice, which will continue as companies prepare for, and thereafter comply with, the GDPR,” said Alan Raul, founder and co-leader of Sidley’s global Privacy and Cybersecurity practice. “Adding Wim to our outstanding team of privacy practitioners in Europe, led by John Casanova and William Long, is a logical next step in ensuring we continue to provide clients with the highest level of service in developing and implementing privacy, data protection and cybersecurity programs around the world.”

Join Our LinkedIn Group

The General Data Protection Regulation (GDPR) will become law in all EU jurisdictions on May 25, 2018 and will impact organizations that handle EU citizen data for any number of reasons, from employment to customer relations to marketing. Just because a company is not based in or even operating in the EU doesn’t mean GDPR won’t apply.

It is a broad and wide-ranging regulation that is posing significant challenges for the types of clients Yerra serves, namely global corporations in highly-regulated industries such as banking, consumer goods and pharmaceuticals.

To gauge readiness for GDPR across industries and global regions, Yerra has launched an industry survey to help benchmark where global corporations are in their preparations. The GDPR Reality Check survey is being run in collaboration with the Blickstein Group and will be open for submissions through the end of May 2017.

Take the survey.

Join Our LinkedIn Group

Bloomberg Law reports that the global law firm DLA Piper fell victim on Tuesday to a widespread cyber attack, which reportedly disabled networks at dozens of companies.

“The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible,” according to a statement the firm posted on its website.

“But calls and emails to the firm either failed or went unanswered. The U.K.’s Legal Week reported that the attack had ‘knocked out phones and computers across the firm,’ including in Europe, the Middle East and the U.S.,” writes Gabe Friedman.

The Petya virus has been spreading, locking companies out of their networks and demanding a ransom in cryptocurrency to unlock them.

Read the Bloomberg article.

Join Our LinkedIn Group

Knowledge Nomads’ Summer Legal Conference in Berlin July 23-29, 2017, will feature sessions on law in the age of hyperconnectivity, legal issues in the sharing economy, and the legal fallout from Volkswagen’s emissions scandal.

The event will be at Berlin’s Radisson Blu Hotel.

The CLE-qualified sessions will feature a diverse group of speakers, including a broad range of nationalities, backgrounds and ages.

Interspersed with the the presentations will be an arts and culture day with a choice of seven tailor-made tours, a trip to the home of Volkswagen, and a closing dinner on top of the German Federal Parliament Bundestag building.

Other side events will include guided tours, dinners, receptions, concerts, a gallery tour and more.

Register or get more information.

Three Chinese stock traders were ordered to pay $8.9 million in fines and penalties for hacking into two law firms and stealing information on upcoming mergers and acquisitions and then leveraging the information to trade stocks, according to a Dark Reading report.

A federal court in New York found that the three hackers installed malware on the law firms’ computer networks, enabling them to view emails on mergers and acquisitions in which the firms were involved. Then they used that information to buy stock in at least three public companies prior to their merger announcements, according to the Securities and Exchange Commission.

The firms aren’t identified in the complaints, but Law360 reports they appear to be Weil Gotshal & Manges and Cravath Swaine & Moore, based on information in charging documents.

Read the Dark Reading article.

Join Our LinkedIn Group

Black Duck Software has posted a complimentary on-demand webinar discussing ways organizations can outsource to meet their development needs and also address open source security and management risks before giving contractors access to their valuable technologies.

“Today’s rapidly changing technologies, including the proliferation of open source and the accelerating shift to the cloud, are increasing the use of outside experts for both application development and IT solutions,” the company says on its website. “At the same time, IP security is top of mind worldwide.”

The presenter is Jim Markwith, co-founder and managing partner of Symons Markwith LLP’s Seattle and Washington, DC area offices.

He is an experienced technology and corporate transactions attorney with over 20 years of experience. His clients range from start-ups to fortune 50 technology leaders, including computer software, on-line retail, and Healthcare IT product and service developers.

Prior to private practice, Markwith held executive and senior in-house legal positions with Microsoft, Adobe Systems, and Allscripts Healthcare. He received his J.D. degree from Santa Clara University School of Law, and is a member of the California, Washington, DC, and Washington State Bar Associations.

Watch the on-demand webinar.

The National Association of Corporate Directors has published the 2017 edition of the NACD Director’s Handbook on Cyber-Risk Oversight and made it available for free downloading.

The book is constructed around five core principles designed to enhance the cyber literacy and cyber-risk oversight capabilities of directors of organizations of all sizes and in all industries, according to NACD.

This handbook provides

• foundational principles for board-level cyber-risk oversight;
• insight into management of cyber-risk oversight responsibilities; and
• tools to improve and enhance boardroom practices.

Download the handbook.

Data security must extend beyond the scope of a company’s own office or network and to any of the company’s service providers that have access to its data, warns Armand J. (A.J.) Zottola in Venable LLP’s Digital Rights Review.

“A company can be held responsible for a data breach involving its own data, regardless of whether the company is directly responsible for managing its own data,” Zottola writes. “The risks associated with sharing data with a service provider are best managed through the utilization of contract provisions governing information security.”

In his article, he offers guidelines to consider throughout the process of drafting information security provisions to govern the management, handling, and control of a company’s data.

Headings for those guidelines include: research applicable legal requirements, set and meet minimum security standards through the establishment of an information security program, ensure the service provider isn’t misusing data, determine security breach response procedures, and create audit requirements.

Read the article.

Join Our LinkedIn Group

Practical Law’s Mel Gates and Zach Ratzman on Thursday, January 12, 2017, at 1:00 p.m. Eastern will present a free, 75-minute webinar that will explain recent data breach trends affecting state and local governments and provide tips on how to prepare for and help prevent a data breach or other cyber event . . . before it happens.

Topics will include:

• Why state and local governments should be thinking about data breaches and other cyber events.
• Federal and state laws concerning personal information, data security, and breach notification.
• What reasonable security measures are and how they can impact a government entity’s regulatory and litigation exposure.
• The basics on today’s cyber threats with recent case studies of data breaches that have affected state and local governments.
• Recommendations on how government lawyers can play a key role in protecting their organizations.

A short Q&A will follow.

Presenters:

Mel Gates, Senior Legal Editor, Privacy & Data Security, Practical Law
Melodi (Mel) Gates, CIPP/US joined Practical Law from Squire Patton Boggs (US) LLP, where she was a senior associate focusing on cybersecurity and privacy issues, including in the health information technology field. Prior to practicing law, Mel worked for over twenty years in the telecommunications industry, last serving as chief information security officer (CISO) for a large network provider. She is also an appointed member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (DPIAC).

Zach Ratzman, Director of Public Sector, Practical Law
Zach Ratzman joined Practical Law from the U.S. Department of Homeland Security’s Office of the General Counsel in Washington, DC, where he advised senior DHS leadership on privacy, information sharing, and congressional oversight matters. Before that, Zach worked for nearly a decade at several major New York City law firms, where his practice focused on securities and accounting fraud litigation. Before entering private practice, he clerked for the late Honorable Harold Baer, Jr. in the Southern District of New York. Zach is the Director of Practical Law’s Public Sector Service.

Register for the webinar.

RSA has witnessed a huge uptick in targeted phishing email attacks in recent months, the company reports on its website.

“In Q2 alone, RSA identified more than 515,000 phishing attacks in the global market — a 115% rise over Q1 2016 and a remarkable 308% increase over the same time period last year,” writes Heidi Bleau. “The U.S. continued to be the most attacked country, with 48% of global phishing volume, as well as the top hosting country, hosting 60% of all global phishing attacks.  The total cost to global organizations from phishing: $9.1 billion.”

RSA describes a new fraud tutorial, called “Jungle Money,” found in an underground forum. The tutorial tells fraudsters how to create a network of private e-Wallet accounts that are converted through online store merchant services and funneled into a business class e-Wallet account. Following the instructions, a scammer can be protected from discovery by making it difficult to tie the different accounts to one another.

“The scheme includes creating a number of shell accounts via Virtual Credit Cards (VCC), as well as multiple shell e-Wallet accounts, and using them to ‘juggle’ funds between the accounts by charging one account against another for a purchase or service. They then quickly request a chargeback from one of the accounts, thereby receiving a full refund and quickly cashing out the funds,” according to the report.

Read the article and download the report.

A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence reported by Fortune.

In the cases studied by the magazine, hackers broke into BigLaw firm partners’ email accounts and passed messages from their victims’ in-boxes to outside servers.

“The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers,” writes reporter Jeff John Roberts. “The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.”

Read the Fortune article.

Information security expert Edward H. Block has joined Gardere Wynne Sewell LLP as a senior attorney in its Austin office. Block joins the firm from the Texas Department of Information Resources, where he served as the chief information security officer (CISO) and the cybersecurity coordinator for the state of Texas.

With more than 20 years of experience in the cybersecurity arena, Block primarily focuses on the effects of emerging law on personal privacy at the state, federal and international levels. He has assisted and managed technical teams performing all aspects of information security work, and has developed information security policies, standards and guidelines that balance protection of information assets with legal and functional requirements.

In a news release, the firm said Block joins Gardere’s litigation practice and is a member of the firm’s internet, eCommerce and technology team, as well as its cybersecurity and privacy legal services team. Block will work closely with the firm’s government affairs team on cybersecurity law and regulation, as well as collaborate with the corporate practice group to evaluate parties’ security postures, policies and procedures in mergers and acquisitions to ensure an integrated approach to addressing security risk during the transition. In addition, Block will assist clients with establishing security, breach and disaster recovery polices and will counsel on cyber insurance issues, including evaluating policy compliance.

“Eddie’s unique background in information security will be an enormous asset to our clients in navigating their evolving cybersecurity needs and challenges,” says Kimberly A. Yelkin, executive partner in Gardere’s Austin office and chair of the government affairs team. “We are thrilled to welcome Eddie to the team.”

Prior to his time at the Texas Department of Information Resources, Block was a senior product security engineer at Polycom Inc. and was the information security officer for the Employees Retirement System of Texas. He is a Certified Information Systems Security Professional (CISSP), Certified Information Privacy Manager (CIPM), Certified Information Systems Auditor (CISA) and a Certified Ethical Hacker (CEH). Block earned his undergraduate degree at Loyola Marymount University and his juris doctorate at St. Mary’s University School of Law.

New York’s Attorney General Eric Schneiderman issued a warning on Wednesday about a phishing scam in which hackers pose as representatives from from his office and target attorneys, according to a Bloomberg Law report.

Schneiderman’s press release quotes a phony email in which the hackers suggest a complaint has been filed against the recipient’s law firm.

“The goal of such emails is to trigger the recipient to click a link or open an attachment through which the hacker can gain access to the server, and any sensitive information on your computer such as credit card data and social security numbers,” the report says.

Read the Bloomberg article.

By Patty P. Tehrani
Lawyer and Founder of Policy Patty Toolkit

The cybersecurity regulations keep coming. Following New York’s proposed regulation on cybersecurity, and notice from banking regulators on proposed cybersecurity rules, the Financial Crimes Enforcement Network (FinCEN) has issued an advisory and related FAQ.

The advisory includes key definitions relevant to cyber-related incidents as follows:
• Cyber-Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
• Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.
• Cyber-Related Information: Information that describes technical details of electronic activity and behavior, such as IP addresses, timestamps, and Indicators of Compromise (IOCs). Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.

The advisory explains how BSA requirements apply to cyber-events, cyber-enabled crime, and cyber-related information with guidance on:
• reporting cyber-enabled crime and cyber-events through SARs;
o consider all available information surrounding the cyber-event, including its nature and the information and systems targeted;
o determine monetary amounts involved in the transactions or attempted transactions (should consider in aggregate the funds and assets involved);
o know other cyber-related SAR filing obligations required by their functional regulator;
• including relevant and available cyber-related information (examples provided – IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information) in SARs to:
o provide complete and accurate information, including relevant facts, to the extent available:
 description and magnitude of the event;
 known or suspected time, location, and characteristics or signatures of the event;
 indicators of compromise;
 relevant IP addresses and their timestamps;
 device identifiers;
 methodologies used; and
 other information the institution believes is relevant;
o refer to the FAQs for additional information on reporting cyber-related information in SARs;
• collaborating internally between BSA/Anti-Money Laundering (AML) units and other units to identify suspicious activity to:
o make sure to internally share relevant information from across the organization to help reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units;
o use cyber-related information to:
 help identify suspicious activity and criminal actors;
 develop a more comprehensive understanding of their BSA/AML risk exposure;
 use information provided by BSA/AML units to help the institution guard against cyber-events and cyber-enabled crime;
 provide for more comprehensive and complete SAR reporting;
• sharing information among financial institutions to guard against and report money laundering, terrorism financing, and cyber-enabled crime to:
o identify threats, vulnerabilities, and criminals; and
o note the extension of Section 314(b) of the USA PATRIOT Act as a safe harbor from liability to financial institutions—after notifying FinCEN and satisfying certain other requirements— to encourage information sharing.
The supplemental FAQs provide additional guidance on reporting obligations for cyber events and cover the following questions:
• What information should a financial institution include in SARs when reporting cyber-events and cyber-enabled crime?
• How should a financial institution complete SARs when reporting cyber-events and cyber-enabled crime
• How should cyber-events and cyber-enabled crime be characterized in SARs?
• How does a financial institution report numerous cyber events in SARs?
• Is a financial institution required to file SARs to report continuous scanning or probing of a financial institution’s systems or network?
• Should a SAR be filed in instances where an otherwise reportable cyber-event is unsuccessful?
• Does FinCEN now require financial institutions’ BSA/AML units to have personnel/systems devoted to cybersecurity?
• Are BSA/AML personnel now required to be knowledgeable on cybersecurity and cyber-events?
• Can financial institutions use Section 314(b) of the USA PATRIOT Act to share cyber-event and cyber-enabled crime information with other financial institutions
Note: These new FAQs replace prior guidance provided by FinCEN.

FinCEN hopes the guidance will help reduce cyber risks for financial institutions as serve as a reminder on:
• their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime;
• how BSA reporting helps U.S. authorities combat cyber-events and cyber-enabled crime;
• compliance with BSA requirements or other regulatory obligations for financial institutions does not absolve them from having to comply with federal and state notice/reporting requirements and guidance on cyber-related incidents;
• encouraging collaboration:
o within financial institutions—between employees combating cyber-crime and employees combating money laundering;
o information sharing between financial institutions to again more effectively combat cyber-crime; and
• filing a Suspicious Activity Report (SAR) does not relieve it from any other applicable notice requirements of events impacting critical systems and information or of disruptions in their ability to operate.

Note: Under the Bank Secrecy Act, financial institutions must file SARs to report suspicious activity.

Spurred by the growing and often contradictory cybersecurity regulatory burden facing companies, Thomson Reuters, Pillsbury and FireEye have formed an industry-first collaboration to help corporations meet new regulations and manage risk related to cybersecurity. In a release, the companies said this alliance affords institutions expertise and resources from a holistic, multi-pronged approach to cybersecurity risk assessment and due diligence that combines legal counsel, technical assessments and legal managed services to help meet a variety of internal, external and regulatory standards.

The release continues:

As targeted attacks become more sophisticated, complex and commonplace, organizations cannot rely on the patchwork of industry standards to use as a base for their cybersecurity or risk management program. Each organization should determine its own risk and address any issues or concerns before a problem arises. However, even a casual review of the news shows that many organizations are not meeting this seemingly minimal obligation with widespread success.

The alliance between Thomson Reuters, Pillsbury and FireEye provides the resources and guidance organizations can rely upon to help manage cyberrisk, especially as additional regulations in this area expand and evolve. Pillsbury, a leading international law firm, will help companies navigate the myriad regulations, standards and guidelines they face as well as provide them with legal counsel related to compliance and risk management. The Thomson Reuters Legal Managed Services team will leverage its experience and efficient processes to review contracts and agreements with third-party suppliers and assist in implementing key changes to such processes or agreements advised by Pillsbury. FireEye, an industry-leading cybersecurity company, will perform the technical risk assessments, advanced testing and response readiness to help each organization’s defense posture match the threats to their specific industry and operations.

“Cyberthreats and the regulations created to counter have grown incredibly complex,” said Brian Finch, partner and co-chairman of Pillsbury’s privacy, data and cybersecurity practice. “With that in mind, it is essential to bring multiple perspectives and skill sets together in order to attack the problem. The recently released cybersecurity regulations from the New York State Department of Financial Services cemented our belief that no one organization can fully assist a company in protecting itself from criminal attack and regulatory obligations. The opportunity to work with industry leaders like FireEye and Thomson Reuters to help companies solve those multiple objectives is a truly exciting one.”

Rich Stegina, vice president of Strategic Partnerships at FireEye, commented, “FireEye provides our clients with a global team of experts that can assess an organization’s cybersecurity situation via a range of pre-breach service offerings specific to the needs and goals of that organization. By strategically partnering with leaders in the legal industry — Pillsbury and Thomson Reuters — we can address the complex cyberthreats that the market and specific organizations are facing.”

Christy Weisner, director of Thomson Reuters Legal Managed Services, noted that a key element to this offering, and any cybersecurity risk assessment program, is the analysis of third-party agreements for gaps and degree of risk. “Our Legal Managed Services group at Thomson Reuters already supports clients across all sectors with ongoing contract lifecycle management and compliance solutions, and this alliance ensures clients receive a comprehensive team to address cyberrisk. Our managed services experts will evaluate each contract that involves client data or information systems and, following Pillsbury’s guidance, assist in renegotiation and redocumentation if needed.”

The Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency are considering applying enhanced standards to address this issue for a sensitive and critical area of the U.S. marketplace. Additionally, the New York State Department of Financial Services recently issued regulations in “Cybersecurity Requirements for Financial Services Companies.” Covered entities must adhere to a wide range of cybersecurity requirements, including the establishment of a cybersecurity program and ensuring that third-party service providers are holding information in a secure manner.

While a company cannot eliminate risks involving compromised data and systems, there are some actions that a company should take to protect data in the hands of third-party suppliers, advises Mayer Brown LLP.

In an article posted on the firm’s website, authors Rebecca S. Eisner, Lei Shen and Lindsay T. Brown discuss five privacy- and security-related questions that a general counsel should ask regarding company data in the hands of third-party suppliers and other business partners.

They questions they discuss at length are: Have We Assessed Our Security and Privacy Risks? How Robust Is Our Oversight of Third Parties Who Have Our Data or Access to Our Networks? Do We Have Appropriate Contractual Protections? How Do We Monitor Developments? and Do We Address Privacy and Security in Other Transactions, Such as M&A?

Read the article.

The risk of a data breach cuts across industries and affects businesses large and small, causing some companies to migrate mission-critical data, including sensitive customer information, to third-party cloud providers, according to an article written by Sidley Austin lawyers Scott Nonaka and Kevin Rubino for Bloomberg Law.

“As data breaches have increased, so have the number of companies migrating mission-critical data to the cloud, including sensitive customer information,” they write. “These companies often turn to third-party cloud service providers to provide data hosting, software or infrastructure services. This trend is driven, in part, by the growing perception that cloud services are more secure than traditional information technology environments.”

They point out that data stored in the cloud faces many of the same threats as locally-stored data and, due to the growing amount of information in the cloud, it can be an attractive target for hackers.

Read the article.

SecureDocs will present a complimentary webinar designed for professionals who are interested in understanding, identifying, and mitigating potential data breach disasters before they occur.

The webinar will be Wednesday, Oct. 26, at 11 a.m. PST.

Featured speaker John P. Lucich, president at High Tech Crime Network, will present an analysis of the current cyberattack landscape and give detailed instructions on what businesses can do to prevent both internal data leaks, and external attacks.

During this 60-minute webinar, Lucich will introduce and examine critical topics regarding corporate data security, including:

-The common reasons why network intrusions occur
-The direct and indirect impact of a security incident on a business
-The challenges and misconceptions regarding network defense that lead to a false sense of security amongst organizations
-Likely sources of security breaches and what businesses can do to protect against them

Register for the webinar.

From a SecureDocs release:

About SecureDocs Virtual Data Room:
SecureDocs Virtual Data Room is the flagship product of SecureDocs, Inc. The data room is designed for businesses raising funds, going through M&A, licensing Intellectual Property, and those who recognize the importance of safeguarding their most critical business documentation. All SecureDocs, Inc. suite products are easy-to-use solutions that keep businesses organized and ready for opportunity, without breaking the bank. Created by the engineers and team who helped develop GoToMeeting, GoToMyPC, AppFolio, and Rightscale, the team is dedicated to building software solutions that are highly secure, easily adopted, and affordable for any type or size of business. For more information about the company visit http://www.securedocs.com or http://www.contractworks.com.

About John P. Lucich:
John P. Lucich is a seventeen year veteran of law enforcement and spent more than eight years with the New Jersey General’s Office Organized Crime Racketeering and Corruption Bureau, seizing and analyzing computers in support of a variety of criminal offenses. Mr. Lucich is a nationally recognized expert, lecturer and author on a variety of high tech crime investigations and computer forensics. He has been a regular guest on the Nancy Grace Show, Fox News, Headline News and many other shows, sharing his expertise. Mr. Lucich testified as an expert witness before the United States Congress in 1993 and delivered a keynote speech along with Bill Gates and General Colin Powell at CAWorld96.