Posted onDecember 5, 2021byHenry Sneath|Comments Off on Kaseya – Ransomware Attack Indictments; Podcast Update 12/5/21
The U.S. Justice Department and the FBI have announced indictments and money seizure in the ransomware attack perpetrated against software giant Kaseya. Hear the details in this 10 minute podcast.
Posted onJuly 9, 2021byHenry Sneath|Comments Off on Kaseya VSA Supply-Chain Ransomware Attack Update 7-9-21 Podcast
Here is the latest on the Kaseya VSA supply-chain ransomware attack which is interesting because there is now strong interplay between the United States government and companies like Kaseya given the national security implications of this type of ransomware attack. Please feel free to listen to this podcast with a brief update on the government involvement in the response to this ransomware attack and on the type of directives that the federal government is now giving out through government agencies like the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. It was widely reported that the CEO of Kaseya on 1st notification of this ransomware attack contacted the federal government and spoke with national security officials at the White House and in the Department of Homeland Security. Obviously, every ransomware attack will not necessarily invoke this high-level government response, but more and more the government is involving itself in the investigation and response to these attacks which have been heavily linked to entities like REvil which is alleged to be based in Russia. Pres. Biden today allegedly called Pres. Putin to once again warn him regarding the cybersecurity attacks and he promised in the media that there would be a response from the United States. For more information on the specific CISA-FBI recommendations in response to the Kaseya VSA supply-chain ransomware attack see this link to the CISA website: https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa . See the link below for my short podcast with this update.
U.S. Supreme Court Issues Important Opinion in Coinbase v. Bielski: Reverses 9th Circuit on Stay Issue –
PIT IP Tech Cast
Court Makes Mandatory a Stay of District Court Actions on Interlocutory Appeal from Denial of Motion to Compel Arbitration
The United States Supreme Court, in a somewhat controversial ruling today, has resolved a circuit split by ruling that interlocutory appeals from a federal district court’s denial of a motion to compel arbitration must automatically stay the underlying District Court case. On June 23, 2023, the Supremes in Coinbase, Inc. v. Bielski, No. 22 – 105 (599 U.S. ____ 2023), held that the district court must stay its proceedings while an interlocutory appeal on the question of arbitrability is ongoing.
Posted onJuly 6, 2021byHenry Sneath|Comments Off on Kaseya VSA Server Ransomware Attack July 2021 – Lessons and Protocols for Dealing with Data Breach
Podcast:
U.S. Supreme Court Issues Important Opinion in Coinbase v. Bielski: Reverses 9th Circuit on Stay Issue –
PIT IP Tech Cast
Court Makes Mandatory a Stay of District Court Actions on Interlocutory Appeal from Denial of Motion to Compel Arbitration
The United States Supreme Court, in a somewhat controversial ruling today, has resolved a circuit split by ruling that interlocutory appeals from a federal district court’s denial of a motion to compel arbitration must automatically stay the underlying District Court case. On June 23, 2023, the Supremes in Coinbase, Inc. v. Bielski, No. 22 – 105 (599 U.S. ____ 2023), held that the district court must stay its proceedings while an interlocutory appeal on the question of arbitrability is ongoing.
In any Cyber incident, Data breach, hack or unwanted email intrusion, like the recent Kaseya attack, Incident Response (IR) time is of the essence. The Business and Cybersecurity Litigation lawyers at Houston Harbaugh, P.C., are here to assist in addressing the cybersecurity issues facing companies today. A comprehensive set of issues must be addressed to aid companies in minimizing the risk of cybersecurity breaches and to aid companies not if, but when, a data breach occurs. Ransomware, e-mail spoofing, text and phone call spoofing, e-mail intrusion, phishing and other schemes are running rampant in the business world. Sophisticated companies are falling prey to wire fraud schemes and ransom attacks at an alarming rate. These victims frequently turn to their insurance carriers but the maze of seeking insurer indemnity and defense for these matters is complex. Our firm can help work through that maze on both the technical side of investigation and on the mitigation side including the analysis of insurance coverage options. Our litigation lawyersare well equipped to handle IR and to tackle both the initiation of, or defense of, litigation related to these cyber security breaches and losses.
Data breaches are one of the biggest risks facing companies today. Companies must take action to prepare for the worst and to react quickly when it happens on both the technical side and the legal side. Our firm can cyber-counsel on corporate structure issues, insurance coverage, employment law, HIPAA and personal and health care data issues, and protection of data through proper technology infrastructure, technology rules and policies, corporate and employment policies and litigation if necessary. Cybersecurity takes a team to protect companies and their data through security programs, security awareness training, annual security audits and Incident Response. A cyber incident or intrusion which results in a breach of Personally Identifiable Information(PII) may trigger certain legal reporting requirements. See (Westlaw’s link): Pennsylvania Statutes 73-2301: Breach of Personal InformationNotification Act. A link to the actual Pennsylvania statute can be found here. Here is a summary of the Pennsylvania Notification Act:
Enacted in 2006, Pennsylvania’s data breach notification law requires entities doing business in Pennsylvania that maintain, store, or manage computerized personal information of Pennsylvania residents to notify affected individuals of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
Notice must be made without unreasonable delay
If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Breached third parties must notify relevant data owners or licensees.
Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
Our firm can help guide you through these reporting requirements but it is best to be prepared in advance. We can help you prepare and can refer you to good technical people for up front assistance.
Data breaches are the ultimate sneak attack. A company’s computer systems can be breached for weeks, months and even years without the breach being detected. Once detected, what action must the company take? A team that includes attorneys, company executives, law enforcement, IT and human resource management should be in place and prepared to address the various problems that arise. These problems include legal issues —regulatory compliance, protection of intellectual property, recovery of losses, and litigation —technical issues, notification issues, customer relations, public relations, and insurance issues.
Houston & Harbaugh cybersecurity attorneys have presented both regionally and nationally the following topics: “The Potential Consequences of Data Breach on Compromise or Infringement of Intellectual Property” and “Protecting Your Business in the Digital Age”. To read more about this topic and to see legal resources regarding Cybersecurity and Data Breach Response, please see this website’s Resource Library.
Contact Our Pennsylvania Cybersecurity Attorneys Today: Houston Harbaugh can help your company take action to minimize the threat from data breaches and to guide you through IR. For immediate help on data breach or ransomware response, contact HH Shareholder Henry Sneath by email now todatabreach@hh-law.comor call: 1-833-511-2243
Posted onApril 4, 2019byHenry Sneath|Comments Off on Was the 2017 “NotPetya” Ransomware Attack an Act of War?
This is the question being litigated in a high-stakes cyber insurance coverage dispute between global snack food giant, Mondelez International, and its insurer, Zurich American Insurance Company, in Illinois state court. “NotPetya” was a 2017 ransomware attack in which infectious code impacted a number of global corporations, including Mondelez, encrypting computer hard drives and demanding payment for access to the data. Mondelez claims that it suffered damage to its hardware and operation software systems valued in excess of $100 million as a result of the attack. In early 2018, the U.S. and its allies publicly attributed the cyberattack to the Russian government. Russia denied the allegations. Modelez submitted an insurance claim to Zurich under an all-risk property insurance policy. Mondelez alleges that Zurich denied the claim based on a policy exclusion that excluded coverage for “loss or damage directly or indirectly caused by or resulting from … [a] hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].” In October 2018, Mondelez filed suit against Zurich in Cook County, Illinois to determine whether the exclusion applies. According to the docket the case is currently pending, and working its way through the discovery process.
This case is being closely watched by corporations and insurers alike as it may have broad implications on cyberattack coverage for both traditional and specialized cyber insurance policies that contain the same or similar exclusions. What evidence will the insurer present to seek to prove that this war exclusion applies?
Pieces by Brian Corcoran on Lawfare (here) and Jeff Sistrunk on Law360 (here) each contain in-depth discussions of the case and its potential implications on the cyber insurance market. The docket for the case can be found here (select the Law Division and enter Case Number 2018-L-011008).
Posted by R. Brandon McCullough attorney at Houston Harbaugh, P.C. 401 Liberty Avenue, Pittsburgh, PA 15222. Brandon concentrates his practice primarily in the areas of insurance coverage and bad faith litigation, complex commercial and business litigation and appellate litigation. Please contact Mr. McCullough at 412-288-4008 or mcculloughb@hh-law.comwith any questions pertaining to this article or any other legal matters.
From Law.Com and its Legaltech news former Microsoft CTO Adrian Clarke (Evident Proof) reports on the technology of Blockchain and its purported major security benefits for the supply ecosystem. “The blockchain is a transaction ledger that is uneditable and virtually unhackable. New information can be written onto the blockchain, but the previous information (stored in what are known as blocks) can’t be adjusted. Every single block (or piece of data) added to the chain is given an encrypted identity. Cryptography effectively connects the contents of each newly added block with each block that came before it. So any change to the contents of a previous block on a chain would invalidate the data in all blocks after it.” Clarke’s report here is perhaps some comfort for an exponentially growing sector of the world wide economy which relies on supply chain management on a massive scale. See his piece in Law Journal Newsletters at http://tinyurl.com/y7mqfnem
Attorneys Bill Cheng and John Frank Weaver at McLane Middleton, P.A. in New Hampshire posted this piece in the NH Business Review at: http://tinyurl.com/yblh6nqp regarding the interaction between Blockchain and Bitcoin and how the GDPR for example will struggle to deal with these technologies, given the protections that GDPR attempts to provide to data owners so that they can control their personal information and data. Blockchain, particularly in conjunction with Bitcoin as the currency for a Blockchain secured transaction will prove a challenge to the GDPR rules. CTOs, Industrial Engineers and Supply Chain designers have big decisions to make in the years to come regarding security and whether Blockchain is the answer to some data protection issues. Photo courtesy of Law.Com.
Posted by Henry M. Sneath, EsquireCo-Chair Litigation Practice Group and Chair of the IP Practice Group: Houston Harbaugh, P.C.401 Liberty Avenue, Pittsburgh, Pa. 15222. Sneath is also an Adjunct Professor of Law teaching two courses; Trade Secret Law and the Law of Trademarks and Unfair Competition at Duquesne University School of Law.Please contact Mr. Sneath at 412-288-4013 orsneathhm@hh-law.com.
Posted onMarch 29, 2018byHenry Sneath|Comments Off on Business: Seeking Predictability in an Era of Uncertainty
Here is an article I wrote which was published by DRI in their IDQ (In-house Defense Quarterly) to promote the DRI Corporate Counsel Round Table meeting in Washington D.C. which was held in January. It highlights the uncertainty in business markets and the role of the courts in same. See the article at this link:http://tinyurl.com/y9mov84l
Posted byHenry M. Sneath, Esq.Shareholder and Director; Co-Chair of the Litigation Department; Chair of the IP Department; Houston Harbaugh, P.C. (www.hh-law.com) Pittsburgh, Pa.Please contact Mr. Sneath at412-288-4013 or sneathhm@hh-law.com
Posted onFebruary 20, 2018byHenry Sneath|Comments Off on From Legal Tech/Law.Com news: A Bug Bounty for Discounts on Cyber Insurance
From our friends at Law.Com: In the growing market for cyber insurance, carriers are trying to compete on price. One carrier, Coalition is offering discounts if your company creates a partnership with a “white hat hacker” and establishes a bug bounty with that hacker. The hacker gets a bounty for finding vulnerabilities. Legal Tech author Rhys Dipshandetails the program in the article at this link: http://tinyurl.com/ydck3nxg
Dipshan reports that “bug bounties” are becoming a popular weapon in combating cyber attacks. “Unsurprisingly” Dipshan reports, “bounty programs are becoming increasingly common in the tech and corporate world, with companies such as Facebook, Microsoft and Uber offering compensation for vulnerability disclosures. They also have caught on in the federal government as well, with the Department of Defense launching its “Hack the Pentagon” and “Hack the Air Force” programs.” Do you need a cyber bounty hunter?
Posted onMay 25, 2016byHenry Sneath|Comments Off on DTSA Cases Being Filed: Defend Trade Secrets Act 2016
Posted by: DTSALAW.Com and DefendTradeSecretsAct.LawyerHenry M. Sneath, Esq. – Chair of the Intellectual Property Practice Group at Pittsburgh, Pa. law firm Houston Harbaugh, P.C. www.hh-law.com. Mr. Sneath is also an Adjunct Professor of Law at the Duquesne University School of Law teaching Trade Secret Law, Trademark Law and the Law of Unfair Competition. He may be contacted atsneathhm@hh-law.com or 412-288-4013. See Websites www.hh-law.com or www.DTSALaw.com.
The new DTSA federal civil remedy statute is already generating lawsuits being filed in Federal Courts. Two suits were recently filed in the Southern District of Florida with jurisdiction being claimed pursuant to the Defend Trade Secrets Act 2016 (DTSA). One case was also filed in the Northern District of Texas. See links to the cases below. In each Florida case, the plaintiff not only claimed trade secret misappropriation under the DTSA, but also under the Florida UTSA state statute (FUTSA). The Texas case brings claims under DTSA and the TUTSA along with pendent state law claims. This may become the trend as the DTSA and state statutes modeled after the Uniform Trade Secret Act describe trade secrets and misappropriation somewhat differently and provide, in some cases, different remedies. The differences in “definitions” between DTSA and the UTSA are not major, but they may make a difference if either is left out of a complaint filed in federal court. We will monitor this trend and post in the future on new filings.
Interestingly, while both Florida cases seek injunctive relief in the complaint’s claims for relief, neither docket shows the filing of a separate Motion for TRO, Preliminary Injunction or motion for other injunctive relief. The Dean case brings only trade secret misappropriation claims under the DTSA and the FUTSA state statute. The Bonamar case brings claims under DTSA and FUTSA and a number of pendent State Law claims that you would expect to see in an employment related, non-disclosure, breach of covenants/contract case. In the Texas case, the plaintiff has filed an emergency motion for TRO under both state and federal law and a hearing is set for May 26, 2016. The motion and brief are linked below. Here are links to the cases on our website.
Posted onMay 1, 2016byHenry Sneath|Comments Off on Big IP NEWS: Defend Trade Secrets Act 2016 (DTSA) Passes Congress – President to sign
Posted by Henry M. Sneath, Esq. – Chair of the Intellectual Property Practice Group at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C. (PSMN® and PSMNLaw®). Mr. Sneath is also an Adjunct Professor of Law at the Duquesne University School of Law teaching Trade Secret Law, Trademark Law and the Law of Unfair Competition. He may be contacted athsneath@psmn.com or 412-288-4013. Website www.psmn.com or www.psmn.law.
The US Congress has passed the landmark Defend Trade Secrets Act of 2016 (DTSA) and it is set for the President’s signature. It will soon be law. See Link to DTSA Legislation here: https://www.congress.gov/bill/114th-congress/senate-bill/1890/text Trade Secret law has long been the province of the States, more or less exclusively, and except for criminal protections against trade secret theft and economic espionage, there has been no Federal civil law providing a federal damages remedy for such theft. Amended will be Crimes and Criminal Procedures – Title 18, Chapter 90, Section 1836 and the key provision is as follows:
“(1) IN GENERAL.—An owner of a trade secret that is misappropriated may bring a civil action under this subsection if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce.”
Congress has now added a civil remedy provision to Federal protection of Trade Secrets wherein prior Federal law only provided criminal sanctions. This has been described as a major new development in Federal IP law and will provide federal jurisdiction for Trade Secret Misappropriation cases. The law will NOT preempt nor change State laws and therefore actions will be brought in both federal and state court jurisdictions. Most states (48) have adopted a form of the Uniform Trade Secrets Act (UTSA) and actions can still be brought under those state statutes, but those statutes vary to some degree. The DTSA is very similar to the UTSA based state court statutes, but there will be differences depending on the state jurisdiction from which cases are brought or removed. DTSA will apply to any acts of trade secret misappropriation that take place AFTER the act is signed into law (not retroactive). The Statute of Limitations will be 3 years according to the actual text linked above, but some commentators have stated that it is 5 years (we will need to check to get accurate information on the SOL and will follow up).
The DTSA contains an important and somewhat controversial “Civil Seizure” provision which renders it different from most state laws and which reads:
“(i) APPLICATION.—Based on an affidavit or verified complaint satisfying the requirements of this paragraph, the court may, upon ex parte application but only in extraordinary circumstances, issue an order providing for the seizure of property necessary to prevent the propagation or dissemination of the trade secret that is the subject of the action.”
This provision is controversial because it can be ordered by a court ex-parte. By amendment, the words “but only in extraordinary circumstances” were added to attempt to mollify some critics of this provision. However, there are some strict limitations to the ex-parte injunctions and a couple of them are below:
“(ii) REQUIREMENTS FOR ISSUING ORDER.—The court may not grant an application under clause (i) unless the court finds that it clearly appears from specific facts that—
“(I) an order issued pursuant to Rule 65 of the Federal Rules of Civil Procedure or another form of equitable relief would be inadequate to achieve the purpose of this paragraph because the party to which the order would be issued would evade, avoid, or otherwise not comply with such an order;
“(II) an immediate and irreparable injury will occur if such seizure is not ordered.”
Such ex-parte injunctions must be very specific and the court must go to great lengths not to overreach or to punish through publicity an accused wrongdoer during the period of seizure. There are other typical requirements for injunctions like posting of security and careful management of the seized materials, and the accused wrongdoer has a right of action back against the claimant if the seizure turns out to be wrongful or excessive.
In an action for misappropriation, a court may order injunctive relief and may
“(B) award—
“(i) (I) damages for actual loss caused by the misappropriation of the trade secret; and
“(II) damages for any unjust enrichment caused by the misappropriation of the trade secret that is not addressed in computing damages for actual loss; or
“(ii) in lieu of damages measured by any other methods, the damagescaused by the misappropriation measured by imposition of liability for a reasonable royalty for the misappropriator’s unauthorized disclosure or use of the trade secret;
“(C) if the trade secret is willfully and maliciously misappropriated, award exemplary damages in an amount not more than 2 times the amount of the damages awarded under subparagraph (B); and
“(D) if a claim of the misappropriation is made in bad faith, which may be established by circumstantial evidence, a motion to terminate an injunction is made or opposed in bad faith, or the trade secret was willfully and maliciouslymisappropriated, award reasonable attorney’s fees to the prevailing party.”
It is unclear as to how this bill will be enforced against foreign Trade Secret theft, or if there will even be jurisdiction under this act for such claims. We will follow up on that issue in future posts. See the Senate and House reports below which contain a substantial amount of background legislative history and commentary. Contact us for additional information. We will continue to study this new law and report to our readers.
Posted onJune 3, 2015byHenry Sneath|Comments Off on Pittsburgh Court Rules on Data Breach Class Claims – Denying Cause of Action
Posted By Henry M. Sneath,Chair of the Cybersecurity and Data Breach Prevention and Response Team at Pittsburgh, Pa. law firm Picadio Sneath Miller & Norton, P.C. hsneath@psmn.com or 412-288-4013
A Pittsburgh, Pennsylvania Judge has ruled at the trial court level that there is no private cause of action for the alleged failure of a major hospital network to secure and protect PII and PHI. Denying Class claims, Judge Wettick has ruled that because the legislature has not created such a right, that only the Pennsylvania Attorney General has the right to bring a claim in this circumstance. See the Legal Intelligencer article here: http://tinyurl.com/nphostc We will get more details on this case and pass them along with our analysis.
Contact our Pittsburgh Intellectual Property, Cyber and Data Security, Trade Secret, DTSA and Technology Attorneys at Houston Harbaugh, P.C. through IP and Litigation Sections Chair Henry M. Sneath at 412-288-4013 or sneathhm@hh-law.com. While focusing first on health care and prevention issues for family, friends and employees, we are also beginning to examine the overall Covid Law related issues in business litigation, contract force majeure, trusts and estates litigation and insurance coverage issues that will naturally follow the economic disruption of the Covid-19 pandemic.
Some posts herein are from the HH-Law resources of PSMN® and PSMNLaw®. Business Litigation. Pittsburgh Strong® and DTSALaw®, PSMN® and PSMNLaw® are federally registered trademarks of HH-Law. See Firm Website at: https://www.hh-law.com/Professionals/Henry-Sneath.shtml
You must be logged in to post a comment.