cyber liability

Subscribe to cyber liability via RSS
John Stark Reed

Readers undoubtedly are aware of the recent outbreak of ransomware incidents and the problems they present. The threat of ransomware attacks poses a host of issues, among the most significant of which is whether or not ransomware victims should go ahead and make the demanded ransomware payment as the quickest way to try to recover captured systems. In the following blog post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a comprehensive look that problems involved with making payments in response to a ransomware attack. A version of this article originally appeared on CybersecurityDocket.

I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit an article. Here is John’s guest post.
Continue Reading Guest Post: Ransomware Payment: Legality, Logistics, Mitigation, and Insurance

SEC logoCybersecurity has been and remains one of the hot topics in corporate governance. Several federal regulatory agencies, including the SEC, have made it clear that cybersecurity is a high priority item and at the top of their agenda. The SEC’s particular cybersecurity focus has been on consumer privacy and on corporate disclosure. But though the SEC has made cybersecurity issues, including disclosure, a top priority, it appears to be the case that very few public companies are actually disclosing cybersecurity and data breach incidents in their SEC filings. The current disclosure practices could be a concern for investors – and for D&O underwriters.
Continue Reading Cybersecurity Disclosure Practices: What’s Up With That?

Odonnell, Stephen - Chicago - 300 DPI
Stephen O’Donnell

Cyber liability insurance is a relatively new product and many of the terms and conditions found in cyber-liability policies are as yet untested in the courts. In this guest post, Stephen O’Donnell of the Steptoe & Johnson law firm takes a look at two particular standard features of the cyber liability insurance policies, the retroactive date and policy inception date exclusions, and the potential for these exclusions to preclude coverage for the very kind of exposures that are the reasons most purchasers buy the insurance.

I would like to thank Stephen for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Stephen’s guest post.

Continue Reading Guest Post: Cyber-Liability Insurance and the Retroactive Date Exclusion

Stark Photo
John Reed Stark

There have been several very high profile news reports of significant law firm data breaches. It is not a mere coincidence that law firms increasingly are targeted in data breach attacks. Law firms have a trove of information that makes them highly attractive to cybercriminals. In the following guest post, John Reed Stark takes a look at the reasons for the rise in the number of cyber attacks as well as the steps that law firms can take to try to defend themselves and their clients. John is the President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on CybersecurityDocket.com. I would like to thank John for his willingness to publish his article on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Continue Reading Guest Post: Law Firms and Cybersecurity: A Comprehensive Guide for Law Firm Executive Committees

weilIn the following guest post, Paul Ferrillo of the Weil Gotshal law firm and Christophe Veltsos, CISSP, CISA, and CIPP, and an Associate Professor at Minnesota State University, Mankato, take a look at a recent NASDAQ survey of corporate officials in multiple countries on the topic of cybersecurity accountability. As Paul and Christophe detail, there is reason to be concerned about the apparent lack of cybersecurity literacy, awareness and risk assessments among corporate officials surveyed. The authors also take a look at the steps companies can take to address these concerns.

I would like to thank Paul and Christophe for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Chrisophe’s guest post.
Continue Reading Guest Post: Grading Global Boards of Directors on Cybersecurity

weilIn the following guest post, Paul A. Ferrillo and Christophe Veltsos take a look at the next-level concepts companies should adopt to improve their data breach detection and response time, perhaps allowing them to kick attackers off their networks before bad things happen. Paul Ferrillo is a member of the Cybersecurity, Data Privacy & Information Management practice at Weil, Gotshal & Manges LLP, and a featured speaker at the upcoming Incident Response Forum on March 31, 2016, in Washington, D.C. Christophe Veltsos, PhD, CISSP, CISA, CIPP, GCFA, regularly teaches Information Security and Information Warfare classes at Minnesota State University. I would like to thank Paul and Christophe for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Christophe’s guest post.
Continue Reading Guest Post: Next-Level Cybersecurity Incident Response Trends 2016

wyndham worldwideAccording to the company’s December 9, 2015 press release (here), Wyndham Worldwide has reached a settlement with the Federal Trade Commission in the long-running and high-profile civil action the agency filed against the company and its affiliates in connection with data breaches at the company during the period 2008-2010. Under the terms of the settlement, the company has agreed to undertake certain measures and to continue to meet certain standards with respect to its customers’ payment card information.  As the company said in its press release about the settlement, the company’s undertakings in the settlement set “a standard for what the government considers reasonable data security of payment card information.” The FTC’s December 9, 2015 press release about the settlement can be found here. The parties’ stipulated order for injunction, which is subject to court approval, can be found here.
Continue Reading Wyndham Worldwide Settles Data Breach-Related FTC Enforcement Action

ftcFollowing the Third Circuit’s August 2015 decision in which the appellate court affirmed the Federal Trade Commission’s authority to pursue an enforcement action against Wyndham Worldwide alleging that the company failed to make reasonable efforts to protect consumers’ private information, there have been concerns that other companies experiencing data breaches could be the target of enforcement actions by the FTC and other regulatory agencies. However, a recent decision by the FTC’s Chief Administrative Law Judge has set a high bar for the degree and kind of consumer harm that must be shown in order for the FTC to be able to pursue a data breach-related claim under Section 5 of the FTC Act.

In a 92-page November 13, 2015 opinion (here), FTC Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD, Inc., based on his holding that the FTC had failed to meet its burden to show that the company’s data security practices has caused or were likely to cause harm to consumers. As discussed below, the agency intends to appeal the ALJ’s ruling, but as it stands the ruling could provide companies that are the target of an FTC data breach-related enforcement action a basis upon which to try to challenge the sufficiency of the FTC’s allegations.
Continue Reading FTC Data Breach-Related Enforcement Action Dismissed Based on Lack of Alleged Consumer Harm

cyber risksWe live in a world in which rapidly shifting technologies and communications modalities have changed the way we interact and conduct business. These new media and means of interaction have introduced innumerable benefits and efficiencies. Unfortunately, these new alternatives have down sides; among other things, they mean new risks and even liability exposures for both individuals and companies that use them. We are all well aware of what can happen to a company that experiences a major data breach. But the new technologies and communications approaches also introduce a host of other potential business liability risks and exposures.

In the new 2015 edition of their interesting and readable book Cyber Risks, Social Media and Insurance: A Guide to Risk Assessment and Management (here), Carrie Cope, Dirk E. Ehlers and Keith W. Mandell take a comprehensive look at the new technologies and communications approaches, review the changed liability environment that these new alternatives present, analyze the current state of the insurance marketplace for these various exposures, and make some projections about what may lie ahead.
Continue Reading Book Review: Cyber Risks, Social Media and Insurance