data breach Archives

First Class Action Lawsuit Filed on Behalf of Victims of First American Title Company Data Breach — Yahoo!

June 26th, 2019|Categories: Class Actions, HB Risk Notes, Technology Law|Tags: class actions, compliance, cybersecurity, data breach, data privacy|

"Gibbs Law Group LLP has filed the first nationwide class action lawsuit accusing First American Title Company of failing to properly secure 885 million sensitive customer files, instead choosing to store them in a 'woefully insecure,'” publicly-accessible system. “First American has turned the American dream of home ownership into a financial security nightmare for its customers,” according to the complaint. Specifically, the lawsuit alleges that First American Title Company was negligent, and violated its contracts with customers, in the way it stored their personal information, which included bank account numbers, Social Security numbers, financial and tax records, and photos of their drivers’ licenses. "This grave lapse in security resulted in publicly exposing hundreds of millions of customers’ personal files, leaving them vulnerable to identify theft and other cybercrimes," the plaintiffs maintain. Read the complete Press Release on Yahoo! here

Artificial Intelligence: DeepMind on Debugging Learned Predictive Models

May 9th, 2019|Categories: Complex Business Litigation, HB Risk Notes, Technology Law|Tags: Artificial Intelligence (AI), cybersecurity, data analytics, data breach, Legal Tech|

DeepMind, an artificial intelligence research company, in a recent blog post discusses three ways to eliminate bugs in learned predictive models. The company was founded in London in 2010. Google acquired it in 2014. In addition to London they have research centers in Edmonton and Montreal, Canada, and a DeepMind Applied team in Mountain View, California. "Bugs and software have gone hand in hand since the beginning of computer programming," the post reads. "Over time, software developers have established a set of best practices for testing and debugging before deployment, but these practices are not suited for modern deep learning systems. Today, the prevailing practice in machine learning is to train a system on a training data set, and then test it on another set. While this reveals the average-case performance of models, it is also crucial to ensure robustness, or acceptably high performance even in the worst case. In this article, we describe three approaches for rigorously identifying and eliminating bugs in learned predictive models: adversarial testing, robust learning, and formal verification." Read the complete post here!

Moving Your Corporate Data to the Cloud: Top 13 Things to Think About as you Review Your Hosting Agreement — Judy Selby Consulting

May 6th, 2019|Categories: HB Risk Notes, Insurance, Technology Law|Tags: data breach, data privacy, Duty to Indemnify, Insurance Companies, Risk Management|

Some data migration risks can be mitigated at the cloud contract stage, Allison Bird, Judy Selby’s partner at Clearview Privacy Consulting LLC, explains. Regarding indemnification, Bird says, "If data is lost or exposed by the hosting company, your company as well as any affiliates who use the services will be subject to suits from clients and individuals whose data was impacted. You may also be subject to regulatory scrutiny which could result in legal costs and regulatory penalties. To the extent possible, negotiate a full indemnification of third party claims arising out of the hosting services." She says the limitation of liability section of your hosting agreement "may be the single most important" part. "Your hosting company may make a lot of promises in the agreement. However, if their liability under the agreement is significantly capped, you won’t receive the monetary compensation necessary to make up for hosting company’s acts and omissions that damage the company. Negotiations for a higher cap will translate into real dollars in the event of a security incident." Of course, insurance is always a good solution if done right. "You can negotiate the perfect contract but unless your hosting company has a deep pocket, it may not have sufficient capital to make good on contractual obligations in the event of a breach or data loss situation, especially [...]

The Cloud: Selected Benefits, Risks, and Insurance Coverage Issues (Part 1) — Barnes & Thornburg

May 6th, 2019|Categories: HB Risk Notes, Insurance, Technology Law|Tags: cybersecurity, data breach, data privacy, Insurance Companies, professional liability|

Cloud Risk: Do You Transfer Liability Along with Data? Many of us were using data clouds before we even knew what they were. Now, while most of us are comfortable with the concept, we may not be comfortable knowing who is liable when data is lost, damaged or breached. It's not a given that your cloud provider absorbs any liabilities, and it's not a given they can even afford the liability should it arise. Below are quotes from an article by Scott Godes, Kara Cleary, and Heidi Fessler of Barnes & Thornburg LLP on the subject, and a link to their complete article. Godes, Cleary, and Fessler list several cloud-related risks: data breaches, data loss, interruption of access, compromised credentials and broken authentication, and denial of service. But two other categories for concern are: #1. BYOC, or Bring Your Own Cloud. Employees may be innocently using productivity applications that store work data on non-company clouds, in effect, "bringing their own clouds" to the workplace. #2. Multi-Tenancy. This involves risks posed when unrelated cloud users are sharing the same computing resources. "Both the cloud provider and the user must be aware of system and data security to prevent a breach in the security. In addition, when a risk is realized, it may not always be clear who is at fault for the [...]

Anderson Kill’s 5th Annual Cyber Insurance Recovery Conference

May 6th, 2019|Categories: Corporate Compliance, HB Risk Notes, Technology Law|Tags: cybersecurity, data breach, data collection, data privacy, regulations|

[one-half-first][/one-half-first] [one-half]Recent news of "Collection 1", a cache of sensitive data now appearing for sale on the dark web and comprised of an astonishing 773 million records, is a grim reminder of the scope of cyber perils for most. Last year's staggering tally of serious data breaches and theft coupled with a spate of new legislation for companies gathering, hosting and selling consumer data means policyholders must rise to the challenge. New state legislation compounds an already daunting federal and international regulatory landscape, and regulatory compliance will be a must to deal with the attendant fines, penalties and consumer claims that non-compliance can trigger. New technology also continues to drive the evolving conversation about the legal relationships between parties transacting business electronically. Risks range from anonymity that raises jurisdictional and collection issues to “immutable” record keeping that creates a permanent, public record of transactions. --Anderson Kill [/one-half] Find out more about this complimentary seminar from Anderson Kill here!

South Korea, EU Having ‘Adequacy’ Discussions

January 30th, 2019|Categories: Corporate Compliance, HB Risk Notes, Technology Law|Tags: cybersecurity, data breach, data privacy, Information Technology Law, Legal Tech|

Because of its robust network connectedness, its advanced use of mobile devices and its rich collection of intellectual property, South Korea is a leading target for hackers. Discussions are under way between the EU and South Korea to determine, as a non-EU country, whether its data protections are adequate. Also, South Korea has joined the APEC Cross-Border Privacy Rules system. Significant caselaw is developing regarding this country’s 2011 data protection statute as well as its sector-specific laws. Daniel Solove and Paul Schwartz have selected Professor Haksoo Ko from the Law School at Seoul National University to speak at the International #PrivacySecurity Forum April 3-5, 2019. Ko will co-present to provide an up-to-date account of developments in South Korea and analyze the most important compliance hurdles. Learn more: http://bit.ly/IPSF-2019

Financial Institutions Struggle to Keep Up with ‘Changing Business Needs’ Such as Social Mobile Apps, and Getting Risk Data Quickly, Deloitte Report Suggests

January 27th, 2019|Categories: Corporate Compliance, HB Risk Notes, Technology Law|Tags: compliance, cybersecurity, data analytics, data breach, data privacy|

Deloitte's report is based on a survey of 94 financial institutions around the world that operate in a range of financial sectors and with aggregate assets of $29.1 trillion. Deloitte's Edward Hida -- financial risk community of practice global leader and a partner in Deloitte Risk and Financial Advisory -- posted his executive summary the latest Global Risk Management Survey which is the organization's eleventh. The report is a detailed one and Deloitte draws quite a few conclusions around the continued focus on cyber security, engagement of boards of directors, increase attention to non-financial risks, the potential of digital risk management, enterprise risk management, the proliferation of Chief Risk Officers, an increased reliance on stress testing and more. A couple figures jumped out at me which show at least two challenges to financial institutions. Hear this Deloitte professional at ICRMC in Toronto April 15-16! Respondents are finding "extremely challenging" the need to keep up with changing business operational needs, such as deployment of social mobile applications, data analytics and cloud-based risks. Also in the "extremely challenging" category, not surprisingly, are threats from "sophisticated actors," like foreign governments and crackerjack hacktivists. Other issues categorized as "extremely high priority "revolve around getting quality risk data quickly. Given the average length of time other studies show that a hacker can poke around in your network before [...]

Mitigating Operational Cyber Risk: As Business Technology Changes, So Does Your Risk Profile

December 6th, 2018|Categories: Corporate Compliance, HB Risk Notes, Technology Law|Tags: Artificial Intelligence (AI), cybersecurity, data analytics, data breach, data privacy|

By Tom Hagy The various risks of doing business in our digitally connected world continue to evolve. So must the approach organizations take in confronting those risks, for failing to do so in the current risk landscape can be far more dangerous than in prior years. I spoke with Nick Galletto, Global Cyber Risk Leader at Deloitte, who traced the evolution of the dangers of doing business in a digitally connected world. Early on, our focus in the cyber risk management space was on how to protect websites from being defaced, he explained. Organizations had to make sure websites were functioning properly, that data was secure, and the integrity was maintained. Galletto went on to say that we’ve moved from an era of compliance and risk management to an era of complexity. From an organization’s perspective, their focus was on making sure the company was compliant with new and evolving regulations, and risk management meant having policies, procedures and effective controls in place. “While compliance is a necessity, it is not the silver bullet that’s going to protect us from any potential breaches," Galletto said. "So organizations must look at conducting their business in this connected world not merely from a compliance perspective but from a risk perspective. A clear example of this is the number of PCI-compliant companies that were still getting breached." “Now as organizations move into an era of complexity, they need to be proactive in detecting anomalies and suspicious behavior and be prepared so their teams have [...]

Aon SVP Belfiore on Corporate Cyber Risk

November 1st, 2018|Categories: HB Risk Notes, Insurance, Technology Law|Tags: Business Interruption, cybersecurity, data breach, data privacy, Directors & Officers|

Cyber Risk of Paramount Concern to Corporate Boards Lack of History Remains a Challenge "Cyber security is the most polarizing issue on the corporate board agenda these days," says Anthony Belfiore, SVP and Chief Information Security Officer at Aon. "It has the most potential impact and the most regulatory pressure among all risks companies face. Nothing is more top of mind right now." "You just have to look at the amount of media coverage and the actual realized impacts companies are experiencing. Hundreds of thousands of businesses from big to small are being affected. The entire healthcare system in the UK went down. The impact is tangible. It’s affecting day-to-day operations," he says. “And no one is immune. Board members come from a diverse set of industries, and all are impacted." Why is cyber risk such a hot button for companies versus other types of risks? "The risk has become more urgent as it has shifted to actual business interruption," Belfiore says. "Historically companies were concerned with data leakage and loss, or regulatory fines, but now the actual operation itself can come to a halt. When a company goes down for three days that hits the media. Analysts notice. You can trace a specific event to a drop in stock values." Aren't fines still a concern? "Yes. We are operating in [...]

Cyber Risks Enter a New and Increasingly Vicious Phase

October 31st, 2018|Categories: Complex Business Litigation, HB Risk Notes, Technology Law|Tags: Business Interruption, cybersecurity, data breach, Directors & Officers, Risk Management|

For anyone plotting the evolution of cyber risks, the last phase of cyber-attacks was dominated by breaches that resulted in lost or stolen personal or financial data that could then be monetized. The current phase is different. “We have observed a significant increase in the number of disruptive breaches that our clients are dealing with,” says Charles Carmakal, Vice President at Mandiant/FireEye. “These involve destruction, extortion, or public shaming.” How are organizations dealing with this shift? “It’s catching many organizations off guard. Most don’t have a playbook for dealing with extortion,” Carmakal says. “While they may have thought about a ransomware situation, that’s different from the more common type of extortion we are seeing these days, where a threat actor threatens C-level executives or corporate board members with the release of sensitive information.” “Many organizations assume the default is they wouldn’t give into the demands, but when in the middle of a crisis too often the decision is made to pay the threat actors,” he says. “So it’s important to consider what your organization will do in this situation. For example, who will be involved in the decision-making process? Organizations should play out an extortion scenario so they have a plan when faced with real demands.” How can organizations better test the efficacy of their security capabilities? Many organizations conduct penetration [...]

Protecting Intangible Assets: Risk Transfer Market Yet to Catch Up

October 12th, 2018|Categories: HB Risk Notes, Insurance, Technology Law|Tags: cybersecurity, data analytics, data breach, data privacy, intellectual property|

Intrinsically Intangible. by Giles Harlow, Senior Vice President, Aon (Bermuda) Ltd. In the early 1980's, tangible assets made up around 80% of the value of the S&P 500. Fast forward to today and nearly 85% of the value of the S&P 500 is attributable to intangible assets. However, the risk transfer market has not caught up. According to the Aon/Ponemon report of last year, whilst around 60% of tangible assets (property, plant and equipment) are currently being insured, only 12% of informational assets are. So what gives? If the vast majority of companies' values in 2018 are attributable to intangibles, why are they not transferring those risks? Is it a lack of education on the client side? A lack of innovation in the brokerage community? A lack of understanding or willingness to accept these new risks on the carrier end? Or is it that whilst the marine and property markets have had centuries to evolve, the newer intangible insurance markets are just gearing up to size as they collate the data they need to properly price and model these risks? Likely, it is some combination of all of these factors. We have seen great strides in the cyber market, with double-digit premium growth over the last four-to-five years. The market has evolved from being focused on large data holders, to providing [...]

Financial Services Cyber Risk Information Sharing

September 26th, 2018|Categories: HB Risk Notes, Insurance, Technology Law|Tags: cybersecurity, data breach, data privacy, insurance claims recovery, Risk Management|

Why We Need to be More Like Apes, Less Like Seagulls By Tom Hagy Featuring Craigg Ballance, Director of Canadian Member Services, FS-ISAC Even before we can walk we are encouraged to share. We’re told to share our things even when we barely have any. Even some wild animals share food and resources – even when those resources are scarce. Some creatures are better at it than others, of course. Apes and lions? Absolutely. Seagulls? All you have to do next time you’re on the beach is toss what’s left of your ham sandwich into the air and see how generous gulls are. People fall into sharing -- and not-fond-of-sharing -- groups, too. Sharing is particularly critical in the financial sector where, while privacy and security regulations command a tight lid on data, global financial institutions are successfully sharing data about cyber risk, says Craigg Ballance, Director of Canadian Member Services for FS-ISAC in Toronto. But, he says, sharing has to take place across a broad landscape. “Information analysis sharing has to cut across the various subsets of the financial sector,” says Ballance. “While banks share local data, they are trying more and more to share globally, but,” he says, “banks need to share with other institutions, like insurers, investment funds, pension funds, and other types of financial institutions, for this [...]