The U.S. Justice Department and the FBI have announced indictments and money seizure in the ransomware attack perpetrated against software giant Kaseya. Hear the details in this 10 minute podcast.
https://anchor.fm/henry-sneath/episodes/Ransomware-Attack-on-Kaseya-12521-Update—Indictments-e1b9kga
Comments Off on Kaseya – Ransomware Attack Indictments; Podcast Update 12/5/21
Posted in Computer Technology, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Podcasts, Technology
Tagged cybersecurity, Data breach, kaseya, ransomware
Here is the latest on the Kaseya VSA supply-chain ransomware attack which is interesting because there is now strong interplay between the United States government and companies like Kaseya given the national security implications of this type of ransomware attack. Please feel free to listen to this podcast with a brief update on the government involvement in the response to this ransomware attack and on the type of directives that the federal government is now giving out through government agencies like the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. It was widely reported that the CEO of Kaseya on 1st notification of this ransomware attack contacted the federal government and spoke with national security officials at the White House and in the Department of Homeland Security. Obviously, every ransomware attack will not necessarily invoke this high-level government response, but more and more the government is involving itself in the investigation and response to these attacks which have been heavily linked to entities like REvil which is alleged to be based in Russia. Pres. Biden today allegedly called Pres. Putin to once again warn him regarding the cybersecurity attacks and he promised in the media that there would be a response from the United States. For more information on the specific CISA-FBI recommendations in response to the Kaseya VSA supply-chain ransomware attack see this link to the CISA website: https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa . See the link below for my short podcast with this update.
Comments Off on Kaseya VSA Supply-Chain Ransomware Attack Update 7-9-21 Podcast
Posted in Computer Technology, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Podcasts, Technology
Tagged Cyber Risk, cybersecurity, Data breach, data breach response, kaseya, ransomware, VSA
See Kaseya CEO Video response presentation: https://www.kaseya.com/
See Updates Regarding VSA Security Incident Response: https://www.kaseya.com/potential-attack-on-kaseya-vsa/
In any Cyber incident, Data breach, hack or unwanted email intrusion, like the recent Kaseya attack, Incident Response (IR) time is of the essence. The Business and Cybersecurity Litigation lawyers at Houston Harbaugh, P.C., are here to assist in addressing the cybersecurity issues facing companies today. A comprehensive set of issues must be addressed to aid companies in minimizing the risk of cybersecurity breaches and to aid companies not if, but when, a data breach occurs. Ransomware, e-mail spoofing, text and phone call spoofing, e-mail intrusion, phishing and other schemes are running rampant in the business world. Sophisticated companies are falling prey to wire fraud schemes and ransom attacks at an alarming rate. These victims frequently turn to their insurance carriers but the maze of seeking insurer indemnity and defense for these matters is complex. Our firm can help work through that maze on both the technical side of investigation and on the mitigation side including the analysis of insurance coverage options. Our litigation lawyers are well equipped to handle IR and to tackle both the initiation of, or defense of, litigation related to these cyber security breaches and losses.
Data breaches are one of the biggest risks facing companies today. Companies must take action to prepare for the worst and to react quickly when it happens on both the technical side and the legal side. Our firm can cyber-counsel on corporate structure issues, insurance coverage, employment law, HIPAA and personal and health care data issues, and protection of data through proper technology infrastructure, technology rules and policies, corporate and employment policies and litigation if necessary. Cybersecurity takes a team to protect companies and their data through security programs, security awareness training, annual security audits and Incident Response. A cyber incident or intrusion which results in a breach of Personally Identifiable Information (PII) may trigger certain legal reporting requirements. See (Westlaw’s link): Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act. A link to the actual Pennsylvania statute can be found here. Here is a summary of the Pennsylvania Notification Act:
Our firm can help guide you through these reporting requirements but it is best to be prepared in advance. We can help you prepare and can refer you to good technical people for up front assistance.
Data breaches are the ultimate sneak attack. A company’s computer systems can be breached for weeks, months and even years without the breach being detected. Once detected, what action must the company take? A team that includes attorneys, company executives, law enforcement, IT and human resource management should be in place and prepared to address the various problems that arise. These problems include legal issues —regulatory compliance, protection of intellectual property, recovery of losses, and litigation —technical issues, notification issues, customer relations, public relations, and insurance issues.
Houston & Harbaugh cybersecurity attorneys have presented both regionally and nationally the following topics: “The Potential Consequences of Data Breach on Compromise or Infringement of Intellectual Property” and “Protecting Your Business in the Digital Age”. To read more about this topic and to see legal resources regarding Cybersecurity and Data Breach Response, please see this website’s Resource Library.
Contact Our Pennsylvania Cybersecurity Attorneys Today: Houston Harbaugh can help your company take action to minimize the threat from data breaches and to guide you through IR. For immediate help on data breach or ransomware response, contact HH Shareholder Henry Sneath by email now to databreach@hh-law.com or call: 1-833-511-2243
Comments Off on Kaseya VSA Server Ransomware Attack July 2021 – Lessons and Protocols for Dealing with Data Breach
Posted in Computer Technology, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Podcasts, Technology
Tagged cyber insurance, Cyber Risk, cybersecurity, Data breach, data security, kaseya, ransomware
This is the question being litigated in a high-stakes cyber insurance coverage dispute between global snack food giant, Mondelez International, and its insurer, Zurich American Insurance Company, in Illinois state court. “NotPetya” was a 2017 ransomware attack in which infectious code impacted a number of global corporations, including Mondelez, encrypting computer hard drives and demanding payment for access to the data. Mondelez claims that it suffered damage to its hardware and operation software systems valued in excess of $100 million as a result of the attack. In early 2018, the U.S. and its allies publicly attributed the cyberattack to the Russian government. Russia denied the allegations. Modelez submitted an insurance claim to Zurich under an all-risk property insurance policy. Mondelez alleges that Zurich denied the claim based on a policy exclusion that excluded coverage for “loss or damage directly or indirectly caused by or resulting from … [a] hostile or warlike action … by any government or sovereign power … or agent or authority [thereof].” In October 2018, Mondelez filed suit against Zurich in Cook County, Illinois to determine whether the exclusion applies. According to the docket the case is currently pending, and working its way through the discovery process.
This case is being closely watched by corporations and insurers alike as it may have broad implications on cyberattack coverage for both traditional and specialized cyber insurance policies that contain the same or similar exclusions. What evidence will the insurer present to seek to prove that this war exclusion applies?
Pieces by Brian Corcoran on Lawfare (here) and Jeff Sistrunk on Law360 (here) each contain in-depth discussions of the case and its potential implications on the cyber insurance market. The docket for the case can be found here (select the Law Division and enter Case Number 2018-L-011008).
Posted by R. Brandon McCullough attorney at Houston Harbaugh, P.C. 401 Liberty Avenue, Pittsburgh, PA 15222. Brandon concentrates his practice primarily in the areas of insurance coverage and bad faith litigation, complex commercial and business litigation and appellate litigation. Please contact Mr. McCullough at 412-288-4008 or mcculloughb@hh-law.com with any questions pertaining to this article or any other legal matters.
Comments Off on Was the 2017 “NotPetya” Ransomware Attack an Act of War?
Posted in Business Risk, Computer Technology, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Houston Harbaugh, P.C.
Tagged cyber insurance, cyber security, cyberattack coverage, intellectual property, intellectual property litigation, notpetya
Posted by Henry M. Sneath, Esquire Co-Chair Litigation Practice Group and Chair of the IP Practice Group: Houston Harbaugh, P.C. 401 Liberty Avenue, Pittsburgh, Pa. 15222. Sneath is also an Adjunct Professor of Law teaching two courses; Trade Secret Law and the Law of Trademarks and Unfair Competition at Duquesne University School of Law. Please contact Mr. Sneath at 412-288-4013 or sneathhm@hh-law.com.
Comments Off on BLOCKCHAIN: Is it the Next Big Step in Data Security?
Posted in Business Risk, Computer Technology, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Defend Trade Secret Act 2016, dtsalaw, Technology, Trade Secret
Tagged Data breach, data breach response, data security, DTSA, intellectual property, intellectual property litigation, pittsburgh intellectual property litigation, Pittsburgh Technology, technology
Comments Off on From Relecura: Semiconductor Sensors. Building the Wave in IoT Development
Posted in Computer Technology, Data Security, Patents, Technology
Tagged patent, patent prosecution, pittsburgh patent litigation, Pittsburgh Technology, technology
Here is an article I wrote which was published by DRI in their IDQ (In-house Defense Quarterly) to promote the DRI Corporate Counsel Round Table meeting in Washington D.C. which was held in January. It highlights the uncertainty in business markets and the role of the courts in same. See the article at this link: http://tinyurl.com/y9mov84l
Posted by Henry M. Sneath, Esq. Shareholder and Director; Co-Chair of the Litigation Department; Chair of the IP Department; Houston Harbaugh, P.C. (www.hh-law.com) Pittsburgh, Pa. Please contact Mr. Sneath at 412-288-4013 or sneathhm@hh-law.com
Comments Off on Business: Seeking Predictability in an Era of Uncertainty
Posted in Business Risk, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, dtsalaw, United States Supreme Court
Tagged Business Risk, Data breach, intellectual property litigation, technology, US Supreme Court Decisions
From our friends at Law.Com: In the growing market for cyber insurance, carriers are trying to compete on price. One carrier, Coalition is offering discounts if your company creates a partnership with a “white hat hacker” and establishes a bug bounty with that hacker. The hacker gets a bounty for finding vulnerabilities. Legal Tech author Rhys Dipshan details the program in the article at this link: http://tinyurl.com/ydck3nxg
Dipshan reports that “bug bounties” are becoming a popular weapon in combating cyber attacks. “Unsurprisingly” Dipshan reports, “bounty programs are becoming increasingly common in the tech and corporate world, with companies such as Facebook, Microsoft and Uber offering compensation for vulnerability disclosures. They also have caught on in the federal government as well, with the Department of Defense launching its “Hack the Pentagon” and “Hack the Air Force” programs.” Do you need a cyber bounty hunter?
Posted by Henry M. Sneath, Esq. HoustonHarbaugh, P.C. – Pittsburgh, Pa. https://www.hh-law.com Chair of the Intellectual Property Practice Group and Co-Chair Litigation Practice Group. Contact at: sneathhm@hh-law.com or 412-288-4013
Comments Off on From Legal Tech/Law.Com news: A Bug Bounty for Discounts on Cyber Insurance
Posted in Business Risk, Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Houston Harbaugh, Technology, Trade Secret
Tagged Data breach, data breach response, data security, pittsburgh, pittsburgh intellectual property litigation, Pittsburgh Technology, Western District of Pennsylvania
Kelly A. Williams, a Senior Attorney at the Pittsburgh law firm of Houston Harbaugh, P.C. 412-288-4005
In an apparent case of first impression, a divided three-judge panel of the Pennsylvania Superior Court recently held that an employer does not owe a legal duty to its employees to protect the employees’ electronically stored personal and financial information. In Dittman v. UPMC, decided on January 12, 2017 (docket no. 971 WDA 2015), the Superior Court affirmed an opinion of the Court of Common Pleas of Allegheny County, PA (opinion by the Honorable R. Stanton Wettick, Jr.), sustaining defendant University of Pittsburgh Medical Center’s (“UPMC”) preliminary objections to an employee class action suit. The suit arose from a data breach of the employees’ personal information, which was provided to UPMC as a condition of employment.
The employees sued UPMC for negligence and breach of contract after their names, birth dates, social security numbers, tax information, addresses, salaries and bank information were stolen due to the data breach. Specifically, they alleged that UPMC failed to properly encrypt data, establish adequate firewalls and implement adequate authentication protocols to protect the information in its computer network. All of UPMC’s 62,000 employees and former employees were affected by the breach. Appellants consisted of two separate but overlapping classes. One class alleged that the stolen information had already been used to file fraudulent tax returns and steal the tax refunds of certain employees. The other class consisted of those who had not suffered this harm but alleged that they were at increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.
To determine whether a duty of care exists, the Pennsylvania courts look to five factors, none of which are determinative alone. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012); Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000). The five factors are:
In Dittman, the court found that the first factor weighed in favor of finding a duty because the employer-employee relationship gives rise to duties on the employer. The court next weighed the second factor against the third: the need of employers to collect and store personal information about their employees against the risk of storing information electronically and the foreseeability of data breaches. The court concluded:
While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems.
Analysis of the fourth factor looks to the consequences of imposing a duty. In this situation, the court considered that data breaches are widespread and that there is no safe harbor for entities storing confidential information. It was also the court’s opinion that no judicially created duty of care is needed to incentivize companies to protect confidential employee information because other statutes and safeguards are in place to prevent employers from disclosing confidential information. Thus, the court concluded that “it unnecessary to require employers to incur potentially significant costs to increase security measures when there is no true way to prevent data breaches altogether. Employers strive to run their businesses efficiently and they have an incentive to protect employee information and prevent these types of occurrences.”
Finally, the fifth factor looks to whether there is a public interest in imposing a duty. The Superior Court found persuasive the reasoning of the trial court that imposing a duty here would greatly expend judicial resources and would result in judicial activism. The Superior Court agreed with the trial court that the Pennsylvania legislature has considered the same issues and chose only to impose a duty of notification of a data breach. “It is not for the courts to alter the direction of the General Assembly because public policy is a matter for the legislature.”
Weighing all five factors, the court held that the factors weighed against imposing a duty. Judge Stabile filed a concurring opinion, which Judge Olson, the writer for the majority opinion, joined. Judge Stabile agreed with the ruling but emphasized that the law in this area is quickly changing and that the ruling was based on the facts pled in that particular case. One of the key facts for Judge Stabile was the fact that the employees had not alleged that UPMC was on notice of any specific security threat. In a dissenting opinion, Judge Musmanno concluded that allegations that UPMC failed to properly encrypt data, establish adequate fire walls and implement appropriate authentication protocols was sufficient to allege that UPMC knew or should have known that there was a likelihood data would be stolen. Judge Musmanno also disagreed with the majority’s assumption that employers are sufficiently incentivized to protect employee data without a duty imposed upon them to do so.
The employees filed a motion for reconsideration and reargument on January 26, 2017. Thus, the Superior Court’s January 2017 opinion may not be the final word on the issue.
Dittman is interesting in the world of data breach lawsuits because it does not address standing. Many data breach defendants have relied upon the theory that plaintiffs lack standing to bring claims for data breaches where plaintiffs cannot prove actual harm from the breach. Proof of actual harm can be challenging because evidence regarding the use of the stolen information may be difficult to find. Here, standing was not discussed by the Superior Court. In the trial court below, UPMC had argued that the claims against it should be dismissed on the grounds that the employees lacked standing to assert claims on behalf of employees who had not yet been injured. UPMC also asserted that the employees’ negligence and breach of implied contract claims failed as a matter of law. After oral argument on these issues, the trial court ordered both parties to file supplemental briefs on the issue of whether UPMC owed a duty to its employees with respect to the handling of their personal and financial data. This ultimately proved to be the issue that the trial court and the Superior Court found to be determinative.
The Dittman v. UPMC opinion may be found at: http://scholar.google.com/scholar_case?case=17833965968674892500&q=dittman+v.+upmc&hl=en&as_sdt=6,39&as_vis=1.
Comments Off on Pennsylvania Superior Court Rules Employer Owes No Duty to Protect Employee Data
Posted in Cybersecurity, Data Security, Technology
Tagged Data breach, pittsburgh intellectual property litigation, Pittsburgh Technology
Posted by: DTSALAW.Com and DefendTradeSecretsAct.Lawyer Henry M. Sneath, Esq. – Chair of the Intellectual Property Practice Group at Pittsburgh, Pa. law firm Houston Harbaugh, P.C. www.hh-law.com. Mr. Sneath is also an Adjunct Professor of Law at the Duquesne University School of Law teaching Trade Secret Law, Trademark Law and the Law of Unfair Competition. He may be contacted at sneathhm@hh-law.com or 412-288-4013. See Websites www.hh-law.com or www.DTSALaw.com.
The new DTSA federal civil remedy statute is already generating lawsuits being filed in Federal Courts. Two suits were recently filed in the Southern District of Florida with jurisdiction being claimed pursuant to the Defend Trade Secrets Act 2016 (DTSA). One case was also filed in the Northern District of Texas. See links to the cases below. In each Florida case, the plaintiff not only claimed trade secret misappropriation under the DTSA, but also under the Florida UTSA state statute (FUTSA). The Texas case brings claims under DTSA and the TUTSA along with pendent state law claims. This may become the trend as the DTSA and state statutes modeled after the Uniform Trade Secret Act describe trade secrets and misappropriation somewhat differently and provide, in some cases, different remedies. The differences in “definitions” between DTSA and the UTSA are not major, but they may make a difference if either is left out of a complaint filed in federal court. We will monitor this trend and post in the future on new filings.
Interestingly, while both Florida cases seek injunctive relief in the complaint’s claims for relief, neither docket shows the filing of a separate Motion for TRO, Preliminary Injunction or motion for other injunctive relief. The Dean case brings only trade secret misappropriation claims under the DTSA and the FUTSA state statute. The Bonamar case brings claims under DTSA and FUTSA and a number of pendent State Law claims that you would expect to see in an employment related, non-disclosure, breach of covenants/contract case. In the Texas case, the plaintiff has filed an emergency motion for TRO under both state and federal law and a hearing is set for May 26, 2016. The motion and brief are linked below. Here are links to the cases on our website.
Florida Cases: Bonamar v. Turkin and Supreme Crab ; Dean V. City of Miami Beach et al
Texas Case: UPS v. Thornburg (Complaint) ; UPS v. Thornburg (Emergency Motion for TRO) ; UPS v. Thornburg (Brief in Support of Motion for TRO)
Henry M. Sneath, Esq. 412-288-4013 hsneath@psmn.com
Comments Off on DTSA Cases Being Filed: Defend Trade Secrets Act 2016
Posted in Cybersecurity, Data Breach Prevention, Data Breach Response, Data Security, Defend Trade Secret Act 2016, DTSA, PUTSA, Technology, Trade Secret, Trade Secret Misappropriation
Tagged Data breach, data breach response, data security, Defend Trade Secrets Act, defend trade secrets act lawyer, DTSA, dtsalaw, Federal Courts, intellectual property, intellectual property litigation, pennsylvania trade secrets lawyers, pittsburgh intellectual property litigation, Pittsburgh Trade Secret Lawyers, PUTSA, trade secret, Trade Secret Misappropriation
RSS - Posts
You must be logged in to post a comment.