While most corporate counsels are still trying to figure out what the Cybersecurity Act of 2015 (CSA) does for them, Rob Knake, a Senior Fellow for Cyber Policy at the Council on Foreign Relations, discusses five ways the U.S. Congress can make the law better during 2016.

He  wrote the article for Defense One.

In the article, he provides details on his five suggestions: Antitrust may have gone too far (or not far enough), whether Internet Service Providers are “information systems,” benefits of letting the Department of Defense establish information sharing programs with defense companies, classified sharing requires a classified network, and It may undermine sharing.

Read the article.

Photo by Gage Skidmore

The revelation that the Justice Department has granted immunity to a former State Department staff member who worked on Hillary Clinton’s private email server is a likely indication that the investigation is nearing a conclusion, reports The Washington Post, but should not be read as a sign that the leading Democratic presidential candidate is going to face criminal charges, legal experts said.

“That Bryan Pagliano — a 2008 presidential campaign worker who set up the server in Clinton’s home — will avoid charges as he cooperates with FBI agents is a significant, if incremental, development, according to former federal prosecutors and white-collar defense lawyers who have been following the case,” the report says.

The granting of immunity to Pagliano “could be an indication that agents and prosecutors are winding down an inquiry that will not result in charges, said Justin Shur, a former deputy chief of the Justice Department’s Public Integrity Section who now works in private practice at the MoloLamken firm,” the Post report continues.

Read the story.

FBI Director James Comey told a congressional panel on Tuesday that a final court ruling forcing Apple Inc. to give the FBI data from an iPhone used by one of the San Bernardino shooters would be “potentially precedential” in other cases where the agency might request similar cooperation from technology companies, reports Reuters.

Comey’s remarks at the hearing vary slightly from a statement he made last week that ordering Apple to unlock the phone was “unlikely to be a trailblazer” for setting a precedent for other cases.

“Tuesday’s testimony from Comey and remarks before the same U.S. House Judiciary Committee by Apple’s general counsel, Bruce Sewell, brought to Congress a public fight between Apple and the government over the dueling interests of privacy and security that has so far only been heard in the courts,” Reuters says.

Read the story.

The Compliancy Group will present a free webinar focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit. The webinar will be Wednesday, March 9, beginning at 2 p.m. EST.

Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance, the company said in a release. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.

The webinar will cover:

• Security risks that might initiate an OCR Audit or increase risk of data breach
• Why you should prioritize a Security Risk Analysis
• 6 Cyber Hacking prevention tips
• How to create a culture of a Cyber Security workforce
• What is TLS vs. SSL encryption and why you should care

Register for the webinar.

The computers at Hollywood Presbyterian Medical Center have been down for more than a week as the Southern California hospital works to recover from a Ransomware attack, reports CSO.

Officials at HPMC said they’re cooperating fully with the Los Angeles Police Department and the FBI in an effort to discover the identity of the attackers. But for now the network is offline and staff are struggling to deal with the loss of email and access to some patient data, the report says.

“The type of Ransomware responsible for shutting down the hospital remains unknown, but one local computer consultant said the ransom being demanded was about 9,000 BTC [Bitcoin], or just over $3.6 million dollars,” according to the report.

Read the article.

HSBC says it “successfully defended” an attack on its online banking system on Jan. 29 but services were disrupted on a key day for many people’s personal finances, reports The Guardian.

HSBC customers were locked out of internet banking for several hours after the company was targeted by online criminals in a denial of service attack.

The bank said it was working with the authorities to “pursue the criminals responsible.”

Read the article.

By Rob Scott
Scott & Scott

I am a technology attorney representing financial institutions in transactions with service providers. The Gramm-Leach-Bliley (GLB) Act is a federal law that requires financial institutions take steps to ensure the security and confidentiality of customer data. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) requires financial institutions under its jurisdiction to safeguard customer records and information. This requirement is known as the Safeguards Rule.

The Safeguards Rule applies to organizations that are significantly engaged in providing financial products or services to consumers, including check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and retailers that issue credit cards to consumers.

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must among other things, select appropriate service providers and require them (by contract) to implement the safeguards.

From a transactional perspective, the Safeguards rule requires due diligence to insure that all service providers are “appropriate.” Once a service provider has been selected, appropriate contract language must be added in order to be in compliance with the Act.

Pursuant to Section 501(b) of GLBA, financial regulators have published the Interagency Guidelines for Establishing Information Security Standards and have established audit protocols to gauge compliance during routine audits.

Service Provider Definition

Under the regulations, a service provider is any party that is permitted access to a financial institution’s customer information through the provision of services directly to the institution. Examples of service providers include a person or corporation that tests computer systems or processes customers’ transactions on the institution’s behalf, document-shredding firms, transactional Internet banking service providers, and computer network management firms.

Overseeing Service Providers

The Security Guidelines establish specific requirements that apply to a financial institution’s contracts with service providers. An institution must:

• Exercise appropriate due diligence in selecting its service providers;
• Require its service providers by contract to implement appropriate measures designed to meet the objectives of the Security Guidelines; and
• Where indicated by its risk assessment, monitor its service providers to confirm that they have satisfied their obligations under the contract described above.

Sample Language for Monitoring and Oversight

Here is the language I like to use to make sure that the financial institution is in compliance with the requirement to oversee the service provider.

Use of Subcontractors. Vendor may use subcontractors in connection with this agreement provided that Vendor’s use of subcontractors is in compliance with the requirements set forth in 501(b) of GLBA. Upon request Vendor must certify that its vendors and subcontractors are in compliance with GLBA.

Oversight. Upon request, Vendor shall provide BANK with copies of audits, summaries of test results, or equivalent evaluations to confirm that Vendor is in compliance with its obligations under GLBA.

Requiring Service Providers to Implement Appropriate Security Measures

The contract provisions in the Security Guidelines apply to all of a financial institution’s service providers. After exercising due diligence in selecting a company, the institution must enter into and enforce a contract with the company that requires it to implement appropriate measures designed to implement the objectives of the Security Guidelines.

In particular, financial institutions must require their service providers by contract to:

• Implement appropriate measures designed to protect against unauthorized access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and
• Properly dispose of customer information.

Sample Language for Safeguards Rule

I use this language to make sure that that the service provider is contractually bound to implement appropriate measures.

Compliance With Laws. Vendor represents and warrants that the Services will be performed consistent with all applicable laws, rules and regulations, and that it will promptly re-perform at its expense any Services that fail to meet that standard. Vendor acknowledges that BANK is subject to the GLB Act, Title V, (“GLBA”) and that Vendor is considered a service provider under GLBA. During the term of this agreement, Vendor shall have, adequate administrative, technical, and physical safeguards designed to protect against unauthorized access to or use of customer information maintained by it or its subcontractors or vendors that could result in substantial harm or inconvenience to BANK or any customer, as set forth in GLBA to (i) ensure the security and confidentiality of such BANK Data; (ii) help protect against any anticipated or reasonably likely threats or hazards to the security or integrity of such BANK Data; (iii) help protect against unauthorized access to or use of such BANK Data; and (iv) ensure the proper disposal of BANK Data.

Incident Response Rule

In addition, the Incident Response Guidance requires a service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible following any such incident.

Sample Language for Incident Response

Here is the sample language I like to use to use for the incident response rule.

Incident Response. Vendor will take appropriate actions to address incidents of unauthorized access to BANK’s customer information, including notifying BANK as soon as possible following any such incident.

When representing financial institutions in transactions with service providers, it is critically important to understand the regulatory framework and how it impacts the transaction. I rarely see vendor contracts that comply with these regulations. Failure to comply with the GLBA safeguards rules and contracting requirements with services providers can result in adverse audit findings by regulators and potentially increase liability for privacy and security claims for damages.

Board members are now facing lawsuits after large-scale cybersecurity breaches because the security breakdowns are considered a failure to uphold fiduciary duties, reports CIO.com.

Department of Justice guidelines for cybersecurity awareness provide some idea of what should be shared with board members. “The CIO now has a responsibility to communicate the cybersecurity strategy to board members and make them aware of critical risks to help avoid personal liability,” CIO.com says.

“Details of day-to-day activities like software monitoring and firewall setup are important for the IT team and CIO to understand, but that level of granularity is not necessary for the Board. However, at a minimum, the Board should understand how cybersecurity failures can impact the business.”

Read the article.

In 2016, people are the targets: from email and web to social media and mobile apps, attackers will build on the successes of 2015 by developing campaigns that , according to an on-demand webinar presented by BrightTALK.

In the webinar, Patrick Wheeler, director, Threat Security at Proofpoint, addresses the shift to increasingly targeted attacks on people behind the devices.

Participants can learn how to:
• Take measures to secure data
• Effectively track incidents and remediate incidents
• Report out on compliance status

Watch the on-demand webinar.

TechTarget has rounded up the top 10 governance, risk and compliance stories of the year, with timely advice about GRC strategy, 2015 compliance challenges and best practices for overcoming data security issues.

“This year proved, again, that governance, risk and compliance remains a top priority for companies,” the article reports. “But identifying these areas as a top concern and effectively addressing them are entirely different beasts. Between emerging governance concerns, the enactment of regulatory legislation, growing data challenges, mobile security issues and renewed encryption debates, GRC professionals have had their hands full in 2015.”

The article covers such topics as data currency, compliance with the SEC Regulation SCI, mobile device management, end-to-end encryption and more.

Read the article.

InformationWeek has posted a free on-demand webinar reviewing key industry cyber security trends affecting financial institutions and methods of preventing and responding to a breach.

“If you’re like most financial institutions, you have controls that identify breaches, but need proper procedures that’ll enable you to recover from such an event,” InformationWeek says on its Bank Systems & Technology site. “In addition, you now face regulatory guidance for developing cyber resilience within your security program. Your ability to respond quickly to cyber security incidents is critical to limiting the impact of a breach on your operations.”

The webinar discusses the current threats across the financial marketplace and explore strategies for implementing a successful incident response program as outlined in the Federal Financial Institutions Examination Council’s cyber resilience guidance.

Watch the on-demand webinar.

Bank Info Security is promoting a free webinar on avoiding phishing: unauthorized access to corporate and organizational networks that has cost businesses millions of dollars.

The webinar is scheduled for two presentations: Tuesday, Dec. 22, 2015, at 1:30 p.m. EST, and Tuesday, Jan. 6, 2016, at 3:30 p.m. EST.

PhishMe COO Jim Hansen will draw on his 25 years in law enforcement and IT security to discuss:

• Conditioning employees to identify and avoid phishing attacks
• Empowering users to quickly and easily report suspicious emails
• Analyzing suspicious emails to provide contextual real-time attack intelligence
• Attack case studies & attacker technique analysis

Register for the webinar.

“To protect ourselves and the businesses we oversee, the way we govern absolutely must change,” says Gerald M. Czarnecki, governance expert, in the latest edition of NACD Directorship magazine, a publication of the National Association of Corporate Directors.

The current model — where the board as a whole, the audit committee, or even the risk committee has general oversight of cyber threats — is no longer adequate, he writes. Cybersecurity and technology risks require a much-higher degree of specialized focus — the same level of focus and commitment allotted to financial controls. Czarnecki proposes that a fourth standing committee devoted to data security and technology become part of every public and private company’s board structure.

NACD Directorship magazine is an exclusive benefit of membership in the National Association of Corporate Directors (NACD), but anyone may download the complimentary copy of the magazine.

Download the report.

Cyber Revolution, Inc., a provider of solutions designed for small and medium sized law firms, has announced that it has been selected as a Premium Solution Provider to the ABA Law Practice Division.

“Cyber threats are constantly evolving to overcome security barriers, but our affordable Cyber Security monthly plan provides the protection that small and medium sized law firms need to stay ahead of current and future cyber threats. Being proactive is the only option for law firms to protect themselves,” said Nicolas Chaillan, CISO of Cyber Revolution, Inc.

In a release, the company said:

Cyber Revolution’s Serenity Plan provides an affordable and simple cyber security solution for law firms. Led by Cyber Revolution’s team of world-renowned experts, the Serenity Plan includes a yearly audit, employee trainings, risk assessments, 24/7 emergency support and Cyber Revolution’s proprietary Law Firm Cyber Security Certification program.

“Cyber Revolution’s Certification Seal can be used to assure current and prospective clients, regulators and insurance providers that your firm has taken the necessary steps to implement effective and secure procedures and processes that will limit exposure and protect their license, reputation and clients’ data”, Chaillan added.

Cyber Revolution hopes that with its relationship with the ABA, it can spread awareness of cyber security in the legal field through educational outreach, trade shows, professional publications and the ABA’s extensive network. Moreover, Cyber Revolution hopes to empower small to medium sized law firms that traditionally find themselves either too small or resource constrained to proactively take control of their digital security.

“This is the solution that everyone was waiting for. Cyber Security protections used to be too expensive and scary for small law firms like us. Cyber-Revolution’s Threat Brief and Report was thorough and insightful – exposing vulnerabilities not only to my systems but all aspects of my firm that could result in the unintended disclosure of critical information. Their level 3 certification will soon be the standard by which all lawyers will have to safeguard information,” said David J. Dischley, of the Law Office of David J. Dischley, PLC.

About Cyber Revolution, Inc.

Cyber Revolution has more than 15 years of experience in the Cyber Security industry, with leadership from Founder and Chief Information Security Officer, Nicolas Chaillan. Chaillan was an early pioneer and contributor to the computer language PHP. Chaillan developed two secure payment solutions for French banks and is considered a top industry expert in Cyber Security, the company said in a release.