Tag: LLP | Page 3

Cyber Beware: E-Gaming and Cyber-Criminality | Manatt, Phelps & Phillips, LLP

May 3, 2022/in Internet Security

Another major video game developer and publisher experienced a cyberattack reportedly resulting in the exfiltration of more than three-fourths of a terabyte of data. The exfiltrated data reportedly includes source code, software development kits and game engines. News reports indicate that the threat actors accessed the system through Slack channels, stolen authentication cookies and (apparently) a well-executed spear phishing attack to secure multifactor authentication tokens. Simultaneously, other recent reports have described malware hiding in gaming platforms through profile images, like malware injection through website favicons.

Meanwhile, esports has become big business and mainstream, with huge amounts of data and significant capital transactions. A League of Legends tournament was featured in the Netflix documentary 7 Days Out, and Sports Illustrated’s July 2021 cover story was about an esports team. Even the Olympics reportedly is considering including esports.

The combination of threat actors looking toward the video game industry and the rise of esports indicates how important it is for the industry and esports platforms and leagues to increase their cybersecurity awareness. As with other technology developments, the risk is ever present to the individual, in their home, to their personal computing devices and to their financial accounts. As presently situated, the industry and esports present attractive targets to cyber threat actors. The following are a few examples of areas that need significant attention.

First, attackers may seek player or subscriber account information. Many games today—from MMORPGs and Web3-based platforms to sports and real-time strategy games, and everything in between—include online play or DLC components. For those, the publisher may be collecting significant amounts of information about the players—information with significant market value to marketers and threat actors, such as payment information, geolocation, crypto addresses, or other personal information valuable for phishing and other social engineering attacks against individuals and their employers. Recent news reports about posting social media profiles to websites for…

Source…

Reach Of Ohio Ransomware Ruling Limited To Policy At Hand | Zelle LLP

January 20, 2022/in Internet Security

Law360 Insurance Authority
January 19, 2022

To read this article in PDF form, click here.

We are still in the relatively early stages of jurisprudence addressing the insurability of loss stemming from data breaches.

Compared to the more developed body of case law interpreting coverage provisions and exclusions contained in more traditional property insurance policies, case law exploring coverage issues under so-called silent cyber or stand-alone cyber policies is sparse.

As such, when any new decision does come down in this arena, it sparks commentary.

This was true for the recent Ohio appellate court decision in EMOI Services Inc. v. Owners Insurance Co.,[1] in which the Ohio Court of Appeals’ Second Appellate District reversed the common pleas court’s summary judgment ruling in favor of the insurer and allowed the insured’s silent cyber claim to proceed.

The majority’s decision in EMOI has come under fire by the insurance bar for being results- oriented and ignoring precedent. Conversely, policyholder attorneys have lauded the decision, going so far as to claim that EMOI stands for the proposition that a policy insuring physical loss or damage does not require physical alteration of property.

But are these criticisms and characterizations fair? And what lessons can we take from this rare and candid discussion by a court grappling with the bounds of insurance coverage for data loss?

EMOI’s holding was dependent on very specific policy language.

In EMOI, a medical billing company sustained a ransomware attack, paid the ransom, decrypted most of its data and then sued its property insurer for claimed business interruption losses and alleged damage to computer software.

Careful review of the appellate court’s decision in EMOI indicates that its holding was entirely dependent on the unique language of the Owners’ electronic equipment endorsement contained in the policy at issue.

That endorsement covered “direct physical loss of or damage to ‘media,'” where media was defined as “materials on which information is recorded such as film, magnetic tape, paper tape, disks, drums, and cards.”

Importantly, the definition section goes on to state that “media” includes “computer…

Source…

Federal Trade Commission publishes final updated Safeguards Rule | Thompson Coburn LLP

December 21, 2021/in Computer Security

On October 27, 2021, the Federal Trade Commission (“FTC”) announced significant updates to the Safeguards Rule. The FTC asked for comments on the Rule in 2019, and held a public workshop on the Rule in 2020. The Final Rule was published in the Federal Register on December 9, 2021. The Rule is effective on January 10, 2022, however, most of the substantive provisions of the Rule take effect a year from the publication date.

Per the final rule summary, the amended Rule contains five primary changes:

“First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.
Second, it adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.
Third, it exempts financial institutions that collect less customer information from certain requirements.
Fourth, it expands the definition of ‘financial institution’ to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This change adds ‘finders’–companies that bring together buyers and sellers of a product or service– within the scope of the Rule.
Finally, the Final Rule defines several terms and provides related examples in the Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule (‘Privacy Rule’).”

Substantively, the amended Rule generally follows the approach outlined in the 2019 proposal with certain amendments and clarifications.

The 2021 changes to the Safeguards Rule passed by a 3-2 vote by the FTC with the three “yes” votes coming from Democrats and 2 “no” votes from Republicans. Commissioners Noah Joshua Phillips and Christine S. Wilson dissented. Commissioner Rebecca Kelly and Chair Lina M. Khan also released a joint statement. The split vote on the final Rule, as well as on the 2019 proposed Rule, reflect a change from prior rulemakings in the security…

Source…

App-etite for Notification: FTC Says “Welcome to the Jungle” to Mobile Health App Developers in Policy Statement on Health Breach Notification Rule | Wyrick Robbins Yates & Ponton LLP

December 21, 2021/in Mobile Security

Last week’s news that the Federal Trade Commission is taking steps to begin rulemaking on consumer privacy and artificial intelligence drew plenty of attention from privacy professionals, and suggests 2022 could be an interesting year for federal regulation of privacy and data security. But that development is only one of a series of moves the Commission has recently made in this space. In September, a divided Commission issued a Policy Statement that adopts a surprisingly broad interpretation of the FTC’s existing Health Breach Notification Rule, and suggests the FTC is seeking opportunities to use its existing authority to crack down on mobile health apps’ lax privacy and data security practices.

In that Policy Statement, the FTC takes the position that the Health Breach Notification Rule, which applies to “vendors of personal health records,” covers any mobile app that processes health information and that can draw personal information from multiple sources. The FTC also states that the Rule broadly requires notification of any unauthorized access to consumer health information, including the sharing of a consumer’s health information without the consumer’s authorization.

Mobile health app developers should take careful note of the Policy Statement’s interpretations and assess their offerings’ compliance posture accordingly.

Overview of the Health Breach Notification Rule

The FTC issued the Health Breach Notification Rule in 2009 to impose breach notification requirements on companies that process consumer health information, but are not subject to HIPAA. To that end, the Rule requires a “vendor of personal health records” to notify affected consumers and the FTC whenever “unsecured [personal health record] identifiable health information [is] acquired by an unauthorized person” as a result of “a breach of security of unsecured [personal health record] identifiable health information.” A “vendor of personal health records” is an entity that (1) is not a HIPAA covered entity or business associate and (2) offers or maintains “personal health records.”

“Personal health records” are in turn defined under the Rule as electronic…

Source…

Tag Archive for: LLP