Tag Archives: cybersecurity

OCR Pronouncement on Ransomware Breach Notification May Make You “Wanna Cry”

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

Read full article

The First Hundred Days and Cybersecurity

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health care space.

Read full article

Lawrence J. Casey to Moderate SBANE’s Cybersecurity and Data Privacy Best Practices

On March 2, 2017, Davis Malm shareholder Lawrence J. Casey will moderate a panel at the Smaller Business Association of New England (SBANE) Cybersecurity and Data Privacy Best Practices program. Mr. Casey will guide panelists through a discussion on cybersecurity and privacy best practices, planning and risk management trends, and responses to breaches and attacks. The session is designed to educate small businesses on the importance of cybersecurity and provide a foundation for them to build their own data security plans.

Read full article

FFIEC Cybersecurity Tool Poses Implementation Challenges

In June 2015the Federal Financial Institutions Examinations Council published a voluntary Cybersecurity Assessment Tool to help credit unions and other institutions identify their risks and determine their cybersecurity preparedness.

Read full article

SEC Makes Cybersecurity an Examination Priority for 2016

Businesses of all sizes and in virtually every industry face the daily threat of a data breach or other cybersecurity event, as well as the challenge of managing the potentially catastrophic economic and reputational harm that can flow from such an incident. Further complicating matters is that these threats can come from any number of sources: hackers, phishers, spammers, bot-network operators, spyware and malware authors, insiders, other nations, organized criminal groups, and terrorists. SEC regulations require registered financial institutions—including broker-dealers, investment companies, and investment advisers—to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records. In the last few years, the SEC has become increasingly vocal about cybersecurity compliance.

Read full article

Labor and employment and data privacy attorney Sherri A. Krause joins the Detroit office of McDonald Hopkins

Labor and employment and data privacy attorney

DETROIT (January 22, 2016) – Sherri A. Krause, an experienced labor and employment and data privacy attorney, has joined the Detroit office of McDonald Hopkins LLC, a business advisory and advocacy law firm. Krause works with clients in the firm’s Data Privacy and Cybersecurity and Labor and Employment Practice Groups.

Read full article

10 Signs You Need to Update Your Data Security

Many leaders are overloaded with advice from commentators, professional service firms, and security consultants about how best to protect their organizations from the data security crisis that has been growing almost exponentially with every new major breach or data-related lawsuit. 

Read full article

“In the Future, Auto Cybersecurity Onus Could Be on Owners,” Jim Giszczak quoted in Wards Auto

While automotive cybersecurity still is in its infancy, experts in the field say in the future owners may be responsible for securing their vehicle from hacks, not manufacturers.

“When the capability exists for the manufacturer to control (security software updates), and do those updates over the air like Tesla is doing, (responsibility and liability) may shift over time,” Bruce Coventry, chairman of automotive security software firm TowerSec tells WardsAuto here during a Society of Automotive Analysts meeting on the issue of cybersecurity. 

Read full article

Data, data, data

Data, data, data
Every day people, enterprises, government organizations try to disentangle themselves from the increasing amounts of…

As studies show, data are now considered primary elements for generating “business” and to them a significant economic and social value is assigned.

Today, this phenomenon, commonly known as big data, has become a fundamental tool for a growing number of subjects who, due to the large quantities of data, can pursue an objective with subsequent and more or less foreseeable legal consequences.

Essentially, the protection described in this article is achievable through various ways, some ostensible, other real but it is universally acknowledged that whoever wants to achieve a goal must minimize the “regulatory” and “normative” impacts in favor of the maximization of the data processing effects on their activity (be aware: we are not only referring to the profits).

From the massive use of data and sophisticated analysis emerges one of the most “decisive” threats to the fundamental rights of individuals foreseen by article 8 of the Charter of Fundamental Rights of the European Union, that triggers the so-called bureaucratic overcharge phenomenon, tackled with standard formulas, software and applications that computerize ways of thinking which fall far short of banal and lead to results of questionable compliance.

As for any other topic with legal impacts, in order to understand the ramifications of the phenomenon and to better face it, we need to start with evaluating the following variables: the legitimacy of the acquisition of information, the congruence between the purposes for which the data were collected and those for which the data will be processed, the security measures applied to the information.

Furthermore, we must resist the temptation to start from the end: from the data anonymization.

According to various position papers, the anonymization, as it is only logic, is considered an “additional processing”, namely that in the presence of the big data, the anonymization is just a passage of a more complex process.

The analysis activity must allow to evaluate the consequences of the “merge” of databases of different sources. It must be considered that in the “reuse era”, the opportunity to gather large quantity of information of different sources has increased exponentially. In addition to that, individuals and public administrations that release “open-data”, have not the opportunity or the competences to anticipate the possible data exploitation in a business point of view.

Finally, let us not forget that the results of the activities on the big data can, in turn, create innovative services and as such they should be protected.

Therefore is the big data an unmanageable phenomenon?

No, as all phenomena the big data can be managed. The legislative framework in which they evolved is not methodologically ready to protect the individuals without “compromising the uses and the applications of the big data”. It is however possible to balance the bureaucratic hypertrophy with an approach that takes into consideration the necessary effectiveness of the processes.

Our previous experience tells us that, as of today, we resort to a “fictional” approach, we tried to demonstrate the security and the compliance of the processing, making the users feel “safe”, regardless from the effectiveness of this security. It is proven that when the data security mechanisms “crashed” or during a control check carried out by the Data Protection Authority, the “security” was largely compromised and the risk evaluations were out of focus, revealing a depressive and neglected outline of most of the basic data protection principles.

Viceversa, using a rational approach, pointed towards the privacy by design and following some precious instructions on best practices, we can reduce the risk. In particular, once the legal acquisition of information and relative consensus and the coherence with the specified purpose has been ascertained, we must find a way to reduce the risk of recognition of the individuals.

In this sense, an initial and repeated analysis of the context, events and changes that can affect it, can prevent abusive control phenomena as the reidentification of individuals, introducing for example higher levels of uncertainty for which certain records can be attributed to more than one person, at least 3 according to the principles of statistic deontology, or eliminating the requirements that cause the groups with similar characteristics to be atomistic or drowning the profile of the individual in a high number of others for which the characteristics of the analysis do not allow the isolation of a determined subject. This last activity can be carried out leaving intact the requirements that refer to a large number of people.

According what has been stated so far, it must be taken into consideration that these and other measures can allow the cohabitation of the big data with the current data protection frame but the methodical approach is by far more effective than other measures adopted thus far.

Read full article

Data privacy and cybersecurity attorney Dominic A. Paluzzi elected Member at McDonald Hopkins

DETROIT (October 1, 2015) – Dominic A. Paluzzi, an attorney in the national Data Privacy and Cybersecurity practice at McDonald Hopkins, has been elected to the firm’s membership.

Based in Detroit, Paluzzi works with a national team of 21 data privacy and cybersecurity attorneys and has counseled clients through more than 425 data breaches and privacy incidents in a multitude of industries. A frequent speaker and writer on data privacy law, Paluzzi has conducted some 165 breach response workshops for clients. His expertise includes advising clients regarding data privacy and cybersecurity risks on both a national and international basis, including proactive compliance, incident response strategies and management, and defense of regulatory enforcement actions and single-plaintiff and class action litigation. 

Read full article