Simon Isgar and Bernadette Pinto of Kennedys write, in part: The Saudi Aramco attack of 2012 has been described3 as the first ‘hackavist-style’ assault to use malware. The attack managed to destroy 30,000 computers within the Aramco network, which were believed by security researchers to have been infected with the Shamoon malware. The consequences faced by…
Category: Federal
Arming Employers Against Internal Hackers, the 11th Circuit Clarifies CFAA’s “Loss” Requirement
Carol Mongtgomery of Butler Snow LLP writes: The Eleventh Circuit ruled last week in a wrongful discharge turned Computer Fraud and Abuse Act (“CFAA”) case, spinning the employee’s case against his employer on its head. The facts of Brown Jordan International, Inc. v. Carmicle stemmed from the employment of Christopher Carmicle by Brown Jordan, a furniture manufacturer….
PII Training Required for Government Contractors, Effective Jan. 19
Christian B. Nagel, Todd R. Steggerda, Ronald L. Fouse, David G. Dargatis, and Edwin O. Childs of McGuireWoods LLP write: Beginning January 19, federal government contracts will contain additional training requirements for contractors who deal with personally identifiable information (PII) or with a system of records. Affected contractors must provide privacy training to their employees,…
“….and in no case later than 60 calendar days after discovery of a breach”
I’ve been encouraging (ok, nagging) HIPAA lawyer Jeff Drummond of Jackson Walker to write a post explaining what the 60-day notification provision really means in HIPAA, as I’ve always had a lot of questions about it, such as: Does the 60-day clock start when the covered entity (CE) first discovers that they might have a…
EBA’s Proposed Guidelines Call for 2-Hour Notice of Data Breach
From PayBefore: The European Banking Authority (EBA) working with the European Central Bank (ECB) recently released a consultation paper on guidelines for payment service providers (PSPs) to follow in the event of security breaches. Among the suggested mandates is notifying authorities of an incident within two hours from the moment the breach is detected—that’s significantly faster than…
New cyber incident notification guidelines take effect April 1, 2017
Tony Ware reports: The U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications. An “incident” is defined…