How To Protect Your Children From Identity Theft

How To Protect Your Children Against Identity Theft

Robinson + Cole – It is one thing to steal our identity as an adult, but children are defenseless against this type of fraud. According to Experian, it handles 25,000-30,000 cases of identity theft and fraud every year and a whopping 17 percent affected children and the estimate is that it will affect up to 25 percent of children before they reach the age of 18. That is a disturbing statistic.

According to Michael Bruemmer of Experian, children can be targeted at birth when parents apply for Social Security numbers at the hospital, and children are vulnerable because most don’t have a credit file and aren’t checking their credit report.

Warning signs for parents to pay attention to include:

A child receiving a credit card offer in the mail that wasn’t requested

Receiving an IRS notice of delinquent taxes in the child’s name

Collection calls regarding unpaid bills for products or services

Tips for parents to use on protecting their children’s identity include:

Teach your children not to give their personal information to anyone

Monitor and teach your children the importance of being careful about sharing their personal information on line or on social media sites

Get a copy of your child’s credit report and monitor your child’s credit like you monitor your own

Push back on people and don’t allow your child’s Social Security number or other personal information to be shared with anyone who doesn’t have a need to have it (even if there is a blank on the form asking for a SSN, ask why and refuse to give it)

Teach your children the importance of their SSN and personal information and to keep it safe

Help your children combat identity theft and protect them from being one of the 25 percent who will be victims before they are 18.

7 Ways to Avoid Data Walking Out The Front Door When Employees Leave

Exterro – With all the news surrounding data breaches and information leaks, it’s easy to overlook the fact that the number one path sensitive/confidential information illegally enters the public domain is when employees leave their organization, according to Osterman Research’s, “Best Practices for Protecting Your Data When Employees Leave Your Company” (Dec. 2016).

In fact, 69% of organizations have experienced data loss from employee movements (departure, changing roles, re-location), and 50% of employees who left their jobs in the last 12 months kept confidential corporate data.

Here are seven security measures which can help you and your organization prevent data from walking out the front door.

Security Measure #1: Limit Access to Data

Even though employees may be inconvenienced by more stringent access to certain data repositories, limiting the number of repositories where data is stored streamlines the tracking of data when legal proceedings are at issue.

  • Understand Who has Access to What: Implement policies to track employee data and put procedures in place to create alerts when certain data may have been accessed inappropriately.
  • Consider VPN Policies: This technology empowers organizations to limit access to specific data repositories when employees are working remote, diminishing the risk that important data is not transferred to personal data sources.
  • Consult IT & End Users: Before limiting access to any data, have a frank conversation with business and IT leaders about the tradeoffs between security and efficiency. Depending on how organizations use data, limiting access to data may not be the best course of business.

Security Measure #2: Evaluate Over-Archiving Policies

There’s too much data within a business to ensure all of it is archived, which is why it’s important to evaluate data archiving policies to safely secure information.

  • Identify the Must Haves: Start by first asking these questions – Is the organization under regulatory requirements to store data? Are there document retention policies that enable the organization to know exactly the types of data will be archived? What technology is available to support these archiving activities? Once these questions are answered, then organizations can reasonably enforce their archiving policies.
  • Get Rid of the Junk: To streamline the process for identifying data, take measures to de-duplicate data within archives and repositories, only keeping one copy of a given document at a time.

Security Measure #3: Clearly Communicate Policies

Creating the right data management policies is only half the battle. Just as important, organizations must find ways to effectively communicate these policies to their employees or else risk data loss.

  • Understanding the Why: One of the primary reasons data is lost when employees leave is that employees don’t understand the importance of ensuring all corporate data is handed over, making it essential that employees are continually briefed on the importance of these data management policies.
  • Train Third Parties: Clear communication of policies extend to external entities (vendors, law firms, etc.) as well. Typically, during legal proceedings, third parties will need to access corporate data. Ensure your data management policies address third parties and how they access data, which may include training so third parties clearly understand them.

Security Measure #4: Leverage Technology to Track Employee Status Changes

Some companies track employee movements (i.e. departures, new hires, role changes) using manual processes (i.e. assigning individuals to review spreadsheets). But as with any manual process, human error is inevitable. Use technology to automate, cutting time, errors, and stress.

  • HR System Integration: Using technology which integrates with HR systems allows legal teams to track and monitor changes not only when somebody leaves the organization, but when they change departments, locations, or job titles. Based on these results, the appropriate actions regarding employee data can be taken.
  • Develop Customized Workflows: Look for technology that can automatically task employees to take a corrective action, which may include collecting data from a departing custodian data source, suspending document retention policies for a recently departed custodian under legal hold, etc.
  • Keep an Audit Trail: Ensure all actions taken with the technology are time-stamped and recorded, just in case this process is ever questioned by opposing counsel and/or the courts.

Security Measure #5: Utilize Robust Employee Agreements

It is vital that employees are aware of exactly what is at stake regarding their use of company data (both for the company and the individual), and avoiding boilerplate employment agreements is an effective way to ensure clarity.

  • Consider State Employment Laws: Non-compete, non-solicitation, nondisclosure agreements vary significantly between states. Some, like California, are much stricter on allowing companies to impose restrictions on employees, making it imperative to stay up on state employment laws. Include specific terms showing the scope and restrictions in the agreement are reasonable, which can help get a temporary restraining order or an injunction to protect corporate data.
  • Confirm Employees Understand this Agreement: From both a deterrent and legal remedy perspective, employees should sign employee agreements regarding data separate from other employee forms. HR should walk through the policies with them to certify their understanding, then memorialize it in the HR file, so it’s clear that this agreement is not just another signature on a page.

Security Measure #6: Implement Coordinated Security Measures

It’s important to balance physical security with network security, while keeping things convenient for users, yet effective.

  • Manage All Data Sources: Implementing strong passwords and using keycards to access company property is a no brainer. But remember to consider other less-obvious protection measures like locking down USB storage devices. Simply put, make sure all data sources are managed and under the purview of IT.
  • Use DLP Software to Monitor Data on the Cloud: Whether using managed cloud storage solutions, like Office 365 or box.com, or more standard platforms, like Dropbox or a personal Google Drive, data leak protection (DLP) software provides added security by alerting and logging when files are moved or accessed. This will limit the damage when employees attempt to remove secure data from the network (maybe by downloading it to a USB).

Security Measure #7: Conduct Exit Interviews

Exit interviews accomplish two aims: first, to determine if the employee might potentially go to work for a competitor; and second, it’s an opportunity to remind the employee of any policies or agreements, and certify that they understand their obligations when leaving the company.

  • Interviews Can Evaluate Risk Potential: The exit interview can be a good opportunity to learn if risk is heightened (e.g. an employee who might be disgruntled or going to work for a competitor). If that’s the case, the company may take steps, such as sending a letter to the new employer of this employee’s obligations. An exit interview can also provide evidence if the employee happens to lie about what he or she is going to do, and legal remedy is pursued.
  • Exit Interviews are Easy to Skip (So Don’t!): Often, the exit interview is a step that companies skip, but the interview can be valuable in determining if action needs to be taken, whether that means monitoring an employee’s computer or automatically preserving its data rather than immediately wiping it.

Conclusion:

We all lose things: keys, phones, remotes. And sometimes, when we can’t find them, there are consequences—some bigger than others. Corporate legal teams are no different when it comes to company data – except the stakes are much higher and the consequences are far reaching and costly. Following these best practices can go a long way toward keeping everything secure and safe.

Author – 

Jim Gill

UK’s Plans For New Cybersecurity Innovation Centre

King & Spalding – 

On July 24, 2017, the UK Department for Digital, Culture, Media and Sport (“DCMS”) announced plans to develop a new center for cybersecurity innovation in London. The UK plans to invest up to £14.5 million in the center over three years to foster development of next generation cybersecurity technology.

The UK government seeks to use the new cybersecurity innovation center to bring together large firms, startups, and industry experts “to develop the new technologies businesses will need to protect themselves.” According to the DCMS announcement, goals of the cybersecurity innovation center include establishing London as a leader in the fight against cyber-attacks and threats, bolstering the UK’s cybersecurity defenses, and helping make the UK “the best place to start and grow a digital business and safest place to be online.”

The announced investment is part of a larger £1.9 billion UK government investment in cybersecurity, implementing the UK government’s National Cyber Security Strategy 2016 to 2021. DCMS has solicited bids for the development and design of the new cybersecurity innovation center, which is expected to open in early 2018.

How You Can Fight Back Against Ransomware

How You Can Fight Back Against Ransomware

Fox Rothschild

Ransomware is back in the news. Yet again, massive and not-so-massive corporate enterprises find themselves at risk of having their computer systems and records held hostage to internet raiders. And, in an added twist, this time systems are not necessarily unlocked even after the ransom is paid.

What can you do? The key is advance preventative measures.

Over at Fox Rothschild’s Privacy Compliance and Data Security blog, we follow these issues regularly. There, we have noted that the United States Computer Emergency Readiness Team at the Department of Homeland Security has provided several recommendations for preventative measures individuals and organizations can take against ransomware attacks, including the following;

  • Have a data backup and recovery plan which can be tested regularly for all critical information;
  • Backups should be kept on separate storage devices;
  • Allow only specified programs to run on computers and web servers to prevent unapproved programs from running (known as application whitelisting);
  • Make use of patches to keep software and operating systems current with the latest updates;
  • Maintain current anti-virus software and scan all downloaded software from the internet prior to executing;
  • The “Least Privilege” principle should prevail – restrict users’ access to unnecessary software, systems, applications, and networks through the usage of permissions;
    Preclude enabling macros from email attachments. Enabling macros allows embedded code to execute malware on the device. Organizations should have blocking software to cut off email messages with suspicious attachments; and last, but certainly not least
  • Do Not Click on unsolicited Web links in emails.

As usual, you should always report hacking or fraud incidents to the FBI’s Internet Crime Complaint Center (IC3).

In the case of the current attack, one of the ways it seems to be spreading is through the use of auto-updating software for an accountancy program. This method of transmission points out the critical importance of turning off “auto-update” self-executing software and scanning every download prior to installation.

Author –

John Gotaskie Jr

Cybersecurity is a Key Risk Factor in M&A Deals

Cybersecurity is a Key Issue in M&A Deals

 

Cybercrime has emerged as one of the foremost threats a company faces. As a result of a few keystrokes, a company may find its customers’ data sold on the dark web, its intellectual property in the hands of a competitor or its operations paralyzed by ransomware. It should come as little surprise, then, that cybersecurity has become a key risk factor in mergers and acquisitions.

A 2016 survey by West Monroe Partners and Mergermarket found that 77 percent of top-level corporate executives and private equity partners reported that the importance of cybersecurity at M&A targets had increased significantly in recent years. Given this trend, executives and directors contemplating acquisitions should consider the following cyber-related issues when conducting due diligence.

Key Considerations

Most companies depend on digital assets, whether in the form of customer data, trade secrets or business plans. Those assets are not only vulnerable to theft or destruction, they also may trigger complicated and evolving cybersecurity and privacy mandates from a variety of regulators in the United States and abroad.

As a result, an acquiring company risks buying a company whose digital assets have already been compromised or assuming liabilities for past noncompliance with cybersecurity and data privacy laws. The latter could mean the acquiring company would take on potential fines, damages from private actions and lengthy consent decrees.

Cybersecurity has become a key risk factor in mergers and acquisitions.

Cybersecurity due diligence cannot be one-size-fits-all. As with any diligence effort, the scope will depend on the transaction timeline as well as the target company’s industry, the value of its digital assets, its regulatory environment and its cyberrisk profile.

Key areas to consider in cybersecurity due diligence are:

Industry Standards. One threshold question for the diligence team is whether the target company meets the relevant industry standards for cybersecurity practices and procedures. That assessment should involve interviews of key staff at the target company and a review of relevant documents, such as reports of vulnerability assessments, penetration testing, vendor audits and any resulting remedial measures, incident response plans and incident reports.

]Special attention should be paid to the maturity of the company’s cybersecurity governance and vendor management, the terms of any indemnification and cyber insurance policies, the existence of any past cybersecurity incidents and how they were handled, and whether the company has interacted with regulators, law enforcement or other third parties regarding potential cybersecurity and data privacy incidents.

Target Company’s Network Security.

The diligence team cannot simply rely on a target company’s assurances without verification because organizations with serious security gaps seldom recognize the problem. According to a report by cybersecurity firm FireEye, companies more frequently find out about a data breach from an outside source (e.g., law enforcement or a security vendor) than internally, and the median time to discover an incident is 146 days.

If the target has never engaged a third-party forensic firm to conduct vulnerability assessments and penetration testing — a scenario that is becoming less common in many industries — the acquirer may want to retain a firm to undertake its own testing on the target company’s network and perhaps even conduct searches on the dark web (the part of the internet that may only be reached with anonymization tools and where many hackers sell their spoils) to see whether the target’s customer data or intellectual property is already compromised and available for sale.

The acquirer should be aware, however, that the target will likely opt to conduct its own testing and provide a report rather than allow the acquirer to do so.

In an extreme scenario, the diligence investigation may uncover hackers lurking in the target company’s network, but more likely the result will be a risk calculation based on the target company’s governance and the administrative, technical and physical information security controls it uses to protect digital assets.

Deal Terms.

The diligence results should inform deal terms, costs to remediate gaps in compliance or risk management, and any post-deal indemnity claims. One way to try to verify a target’s representations about its cybersecurity and allocate potential liabilities is through well-crafted representations and warranties.

Those provisions should be tailored to the target company’s industry and regulatory environment, any risks identified in the diligence process and the acquirer’s risk tolerance. At a minimum, representations and warranties should cover compliance by the target (and its affiliates and vendors) of applicable cybersecurity and data privacy laws, its own internal and external privacy policies, and the absence of unauthorized access to the target’s network.

Acquirers should be prepared for the target company to request qualifications to these representations and warranties, limiting them to the knowledge of the target’s management, imposing a materiality threshold or drafting exceptions in the disclosure schedule regarding the inability to know with certainty about cyber intrusions.

An acquirer’s willingness to acquiesce to such qualifications will depend in part on what the diligence investigation revealed. Indemnity may also be used to hold the target responsible for its representations and liable for hidden or undisclosed cybersecurity and data privacy liabilities that arise after closing. The parameters for these indemnity provisions should likewise flow from the diligence findings.

Cyber Insurance.

The payoff for cybersecurity due diligence comes not only in deal negotiation but also in securing insurance, whether that be standalone cyber insurance or representation and warranty insurance, which has become commonplace in M&A transactions.

In either case, in deciding whether to insure for cyberrisk, an underwriter likely will consider the quality and depth of the acquirer’s diligence review. Thus, a robust cybersecurity diligence investigation will likely pave the way for more favorable insurance policy terms.

Conclusion

Mergers and acquisitions due diligence has long been a critical tool for uncovering and protecting against key risks in a transaction. In our data-driven economy, cyberrisk must not be overlooked. Given the operational, financial and reputational costs at stake, cybersecurity should join the ranks of other traditional due diligence inquiries in deal practice.

Authors – 

Shilpi Gupta, Stuart D Levi, William Ridgway

How To Deal With the Growing Threat of Ransomware Attacks

How To Deal With The Growing Threat of Ransomware Attacks

Parker Poe –

Ransomware attacks have been surging the past few years and reached a headline-grabbing peak with the recent hijacking of computers in English hospitals, Chinese universities and countless businesses worldwide. This should be the last wake up call for companies, nonprofits and government agencies possessing sensitive, potentially valuable data.

In the world of cyber-espionage, ransomware is playing a huge and growing role.
Ransomware is aptly named: It’s essentially a way for hackers to hold your files hostage and seek a ransom to release them.

A U.S. government interagency report describes it as “the fastest-growing malware threat, targeting users of all types – from the home user to the corporate network.”

The sheer volume of these attacks is staggering. The interagency report says there are thousands of them every day, and last year there was a 300 percent increase compared to the year before. Although the government often does not encourage paying the ransoms, studies have found that more than half of victims do.

Why Hackers Use Ransomware and Who They Go After

That’s an obvious first reason hackers are favoring this approach – it pays. The hackers rarely ask for astronomical amounts. Instead, they ask for an amount that many people would consider paying.

The recent global attack asked for individual ransoms of $300 paid in bitcoin, for example. However, companies should work through their options and consult with law enforcement before making a payment. It can be a slippery slope, with the hackers then asking for more money.

…it’s a one-stop robbery – the hackers sell right back to who they stole from.

Another reason for ransomware’s increasing use is that, from a cyber-espionage standpoint, it’s relatively easy. Think about other kinds of robbers: After they steal something, there’s additional risk in figuring out how and where to sell their stolen goods. With ransomware, most of the time it’s a one-stop robbery – the hackers sell right back to who they stole from.

There are certain industries that are the biggest targets for this type of attack. The hackers know they can get the best returns on large pools of aggregated, sensitive data. For that reason, they often go after banks, hospital systems and law firms, to name a few.

The ransomware attacks started with what you’d think of as “big fish,” large companies that have the most data. But as those companies are implementing more sophisticated cybersecurity policies, hackers are going after smaller organizations too, including nonprofits. They sometimes see them as low-hanging fruit because the organizations may not have invested in the proper cybersecurity infrastructure.

How Organizations Can Protect Themselves

So what should a company do? The first step is simple: back up your data. That way, no matter what the hackers steal, you have another copy.

In addition, organizations should have detailed cybersecurity and data privacy policies that they regularly train their employees on.

Many companies are developing protocols to warn staff about clicking on external links and attachments. Some also do test phishing to see if their employees need more training. There are a variety of compliance-related steps that can help protect your data or at least mitigate some of the damage a breach can cause. Counsel can help you craft policies that are catered to your needs.

In addition, it is essential that organizations understand their legal obligations before and after a breach. Those can vary by state and industry, so it’s important to have a firm grip on your requirements before anything happens. Once a breach does occur, there are legal obligations to navigate as your organization responds. In the health care industry, for example, notification of victims is required when their sensitive health information is taken.

There is also a growing number of lawsuits about these types of breaches, including class action lawsuits. Expect litigation on this to build as ransomware attacks continue.

Author – 

A partner at law firm Parker Poe, Sarah Hutchins is a litigator with experience in commercial litigation and government investigation defense.

Cyber Security Risk – A New Zealand Perspective

Bell Gully on Cyber Security Risk

Bell Gully – New Zealand

Cyber attacks are growing in scale and sophistication just as many businesses are increasingly providing and using products and services online.

Concern is fuelled by well-resourced and high profile businesses publicly falling prey to cyber attacks. As a result, in addition to commercial concerns, more and more businesses and boards of directors are questioning: what are our legal obligations and tools relevant to cyber security?

Like many businesses, Bell Gully recognises that cyber security is much more than a technology issue. We have a cross-practice team experienced in cyber security issues.

Our cyber security team brings together expertise in privacy and data protection, employment, governance, commercial, consumer, technology and e-commerce, intellectual property, insurance and risk, financial services, crisis management and litigation.

Our team helps clients to understand their cyber risks, to manage and transfer those risks through insurance and contractual means, and to understand and satisfy governance, contractual and regulatory obligations. We also assist our clients to prepare cyber incident response plans and to manage cyber security incidents and breaches when they occur.

See the video below – 

Bell Gully on Cyber Security Risk