Governance

Texas Narrows the Data Breach Notification Timeline

Texas Narrows the Data Breach Notification Timeline 1280 853 SethJaffe

By Seth Jaffe Last month, the Texas Legislature enacted H.B. 4390, which modified the Texas data breach notification law, narrowing the notification from “as quickly as possible,” to “without unreasonable…

read more

Canada’s Breach Notification Regulation Goes into Effect Today

Canada’s Breach Notification Regulation Goes into Effect Today 848 476 SethJaffe
Back in April, Canada adopted additional regulations related to its cyber security law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The new regulations dictate requirements for reporting a data breach and they go into effect November 1, 2018. Specifically, a report to Canada’s Office of the Privacy Commissioner must contain: a description of [...]read more

Is Your Cybersecurity Program Protecting Against Hardware Threats?

Is Your Cybersecurity Program Protecting Against Hardware Threats? 1224 816 SethJaffe
By Seth Jaffe. Last week, Bloomberg exposed a hardware backdoor surreptitiously placed on circuit boards by operatives from a unit of the China People’s Liberation Army. This tactic is not new. Indeed, the article claimed that U.S. officials had caught China attempting this in the past. Edward Snowden, back in 2014, famously accused the NSA [...]read more

Business Email Compromise and the Importance of Being Earnest

Business Email Compromise and the Importance of Being Earnest 1400 893 JustinSilbert
By Justin Silbert. Business Email Compromise (BEC), along with all cyber crime, is continuing to thrive.  The FBI is now estimating that the cost of BEC has reached $12 billion since October 2013 and the losses continue to grow.  When talking about financial cyber crimes, BEC is one of the simplest and most effective scams. [...]read more

Cyber Security ROI: It may happen sooner than you think

Cyber Security ROI: It may happen sooner than you think 1280 724 SethJaffe
By Seth Jaffe. You’ve heard it before. Companies are slow to invest in cyber security because they see few returns.[1]  But that is likely to change, and it may occur sooner than we expected. Let’s first set the context. An executive recently made the comment to me that “cyber security is just another cost of [...]read more

Alabama Requires Entities to Safeguard Sensitive Information

Alabama Requires Entities to Safeguard Sensitive Information 1280 853 SethJaffe
By Seth Jaffe. Alabama recently became the 50th state to pass a data breach notification law, but in doing so, the state upped the ante by including security obligations generally found in industry-specific cyber security laws. I’ve written about the Eight Principles of Cyber Security Laws in a prior blog post. Alabama adopted seven of [...]read more

The 8 Principles of Cyber Security Laws

The 8 Principles of Cyber Security Laws 1000 563 SethJaffe
By Seth Jaffe. The United States has yet to promulgate a comprehensive federal cyber security law aimed at improving the cyber hygiene of companies serving its citizens. But a collation of industry-specific laws (both federal and state), proposed bills, guidance documents, and cyber strategies yields a fair indication of where our nation is headed. This [...]read more

Lowering Risk By Putting Response Before Incident

Lowering Risk By Putting Response Before Incident 1920 830 JustinSilbert
Justin Silbert As individuals, some people are good at improvisation, that is, dealing with things as they come and creating the best outcome for it. But, organizations in the midst of an incident are notoriously terrible at improvising. There is no better example than Equifax, whose initial response was fraught with missteps. First, it downplayed [...]read more

When It Comes to Cyber Security, Lack of Vendor Oversight Can Lead to Legal Trouble

When It Comes to Cyber Security, Lack of Vendor Oversight Can Lead to Legal Trouble 1920 720 SethJaffe
By Seth Jaffe. Third-party cyber security programs got a shot in the arm this week in the form of two legal actions. The first, well summarized by Sue Ross over at Norton Rose Fulbright, is a proposed consent agreement by the Federal Trade Commission against mobile phone manufacturer BLU Products, Inc., alleging that BLU’s failure [...]read more

NIST Releases Cybersecurity Framework 1.1

NIST Releases Cybersecurity Framework 1.1 2160 1440 HeathRenfrow
By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA The National Institute of Standards and Technology (NIST) announced on April 16, 2018 the release of the Cyber Security Framework (CSF) 1.1, intended to improve Critical Infrastructure Cybersecurity. The focus of this framework when first developed in 2014 was geared towards industries vital to economic and national security, [...]read more

FDA and the Medical Device Security Action Plan

FDA and the Medical Device Security Action Plan 2160 1440 HeathRenfrow
By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA Since 2013, cyber professionals have been warning about the cyber risk and exposure healthcare organizations face from cyber-attacks on medical devices and software. As a result of these concerns the Health and Human Services (HHS) extended security and privacy rules to business associates, and the Federal Drug Administration [...]read more

To Pay or Not to Pay (Ransomware)

To Pay or Not to Pay (Ransomware) 2160 1440 HeathRenfrow
By Heath C Renfrow, CISSP, C|CISO, C|EH, C|NDA The recent ransomware attack on the City of Atlanta cost the city an estimated $2.7 million, and raises the question, do you pay or do you not pay? Ransomware has exploded over the last few years and has been especially hard on the healthcare industry - who can [...]read more