John Reed Stark

The Capital One data hack has attracted a great deal of attention, not least because of the size and extent of the breach, but also because the hacker apparently managed to steal data from The Cloud. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a closer look at this aspect of the Capital One data breach and asked whether Amazon, the cloud service provider, can be held liable for the hack? Stark takes a close look at the technology involved and analyzes the potential liability issues between Capital One, on the one hand, and Amazon, on the other. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Is Amazon Liable for the Capital One Hack?

In addition to all of the other risks, liabilities and exposures arising from cybersecurity concerns, you can now add the possibility of a whistleblower action for cybersecurity fraud. According to a July 31, 2019 press release from counsel for the whistleblower involved (here), Cisco Systems has agreed to an $8.6 million settlement in what the press release claims is the “first cybersecurity whistleblower case ever successfully litigated under the False Claims Act.” Cisco has agreed to pay the amount to settle allegations that the company knowingly sold vulnerable and defective video surveillance software to federal, state, and local government agencies, exposing the systems to unauthorized access. As discussed below, this development even further expands the range of concerns companies must take into account when assessing their cybersecurity exposures. An August 12, 2019 memo from the Jones Day law firm about the settlement and its implications can be found here.
Continue Reading Cybersecurity Whistleblower Claim under the False Claims Act Settled

John Reed Stark

The news of the recent massive data breach at Capital One made the front pages of the business sections of newspapers across the country. The hack has drawn attention not just because of the magnitude of the hack, but also because the hackers apparently managed to steal data from The Cloud. The Capital Data breach represents a “wake-up call” for boards of directors, according to the following guest post from John Reed Stark. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. My thanks to John for allowing me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: What the Capital One Hack Means for Board of Directors

Paul Ferrillo
Christophe Veltsos

In the following guest post, Paul Ferrillo and Christophe Veltsos consider the implications of the recently announced bankruptcy of the corporate parent of a medical billing company following a high-profile date breach at the billing company. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to than Paul and Chris for their willingness to allow me to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chris’s article.
Continue Reading Guest Post: Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive

In the following guest post, Paul Ferrillo and Chris Veltsos take a look at the latest consequences that companies are now facing following a data breach – a rating agency downgrade. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to thank Paul and Chris for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest article. Here is Paul and Chris’s article.
Continue Reading Guest Post: Rating Agency Downgrades Following Cyber Breaches — Are They the Canary in the D&O Coal Mine?

Paul Ferrillo
Christophe Veltsos

In the second part of a three part series, Paul Ferrillo and Christophe Veltsos explain how cyber risk assessments can provide value. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes.  The first article in their series can be found here. In a forthcoming third article, the authors will address the technical tools side of cyber assessment, as opposed to people/processes/governance. I would like to thank Paul and Chris for their willingness to allow me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Paul and Chris’s article is set out below.
Continue Reading Guest Post: Cyber Risk Health Factors Case Study — Technology Alone Can’t Fix Security

Francis Kean

In the following guest post, Francis Kean, Executive Director FINEX Willis Towers Watson, take a look at an interesting and arguably surprising recent U.K. judicial decision in which a supermarket chain was held liable for the unauthorized Internet disclosure of its employees’ personal data. Francis has some interesting observations about the decision’s possible implications as well. A version of this article previously was published on the Willis Towers Watson Wire blog (here). I would like to thank Francis for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Francis’s article:
Continue Reading Guest Post: Claims Against Directors for Failure to Insure Against Cyber Risk Are More Likely Now

Paul A. Ferrillo
Christophe Veltsos

The threats to data security are substantial. Every organization faces some level of cyber risk. So how do we get better at cybersecurity? That is the question that Paul Ferrillo and Christophe Veltsos ask in the following guest post. Paul is a shareholder in the Greenberg Traurig law firm’s Cybersecurity, Privacy, and Crisis Management Practice. Chris is is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. I would like to thank Paul and Chris for their willingness to allow me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Paul and Chris’s article is set out below. Please be sure to also see the item at the end of the post about International Women’s Day.
Continue Reading Guest Post: The Missing Link of Cybersecurity — Time for a Cyber Risk Check-Up

Libby Benet

In the current environment, most people are aware that there are serious pitfalls and problems involved with data security and privacy. However, business leaders may not always be aware of their legal and ethical duties for securing employee, customer, and partner information. In the following guest post, Libby Benet, JD, CIPP US, Principal Benet Consulting, takes a look at these issues, as well as the important differences between information security and privacy. I would like to thank Libby for allowing me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Libby’s article.
Continue Reading Guest Post: Information Security and Privacy – What Business Leaders Need To Know

Bill Boeck

In June 2017, the food company Mondelez International was one of the companies hit by the major global computer malware attack dubbed NotPetya. According to news reports, the malware caused damage to the company’s network servers and computers in excess of $100 million. Various sources have attributed the malware attack to the Russian military. Mondelez submitted its losses to its property insurer, which denied coverage in reliance on the policy’s war exclusion. Mondelez and its insurer are now in coverage litigation. In the following guest post, Bill Boeck takes a look at the litigation and its implications. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article.
Continue Reading Guest Post: War Exclusions and Cyber Attacks