August Cyber update from the Office of Rob Kleeger
Aug 18, 2022 12:36 pm
I hope this email finds you and your loved ones safe, secure, and healthy. More importantly, that you have been enjoying the summer, traveling, and enjoying some normal outdoor activities. Let's hope it stays "Normal" the next 4 months.
All the best,
Words of Wisdom:
"Experience is not what happens to you; it is what you do with what happens to you.”
CURRENT DATA SECURITY NEWS:
New Record Cost of Average Data Breach Rises
The average cost of a data breach hit an all-time high of $4.35 million this year, up 2.6% from a year ago and 12.7% from 2020, according to 2022 Cost of a Data Breach Report conducted by Ponemon Institute and IBM Security.
The good news is the average cost of a ransomware attack – not including the ransom payment – went down slightly in 2022, from $4.62 million to $4.54 million. The share of breaches by ransomware grew from 7.8% in 2021, to 11% in 2022, a growth rate of 41%.
New York is first U.S. state to requires that attorneys take continuing legal education courses in cybersecurity, privacy and data protection.
The recommendation was adopted June 10, 2022, in a joint order issued by the judicial departments of the Appellate Division of the New York State Supreme Court, and the new requirement will take effect on July 1, 2023.
All attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications. Only two other U.S. states require technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina, but New York’s mandate is the first to focus its requirement on cybersecurity, privacy and data protection.
On August 5, Slack disclosed that it accidentally exposed the hashed passwords of certain users over the course of five years due to a previously unknown vulnerability. On that same day, Twitter announced that a threat actor exploited a vulnerability in the social media platform’s system to compile and sell account details of its users.
Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang
Networking giant Cisco Systems is the latest victim of hacking. The company confirmed that attackers used a compromised Google account of one of its employees after the Yanluowang ransomware gang added a list of files obtained from the company on their data leak site. Cisco said that hackers used various techniques to bypass the multifactor authentication feature linked to the VPN client. This includes voice phishing (aka vishing) and MFA fatigue. In MFA fatigue, attackers send push requests in high volume to their targeted device so the user has no choice but to accept to stop the incoming notifications.
LISTEN, IF THE LARGEST HI-TECH FIRMS CAN AND ARE BEING BREACHED WHILE SPENDING MILLION'S ON SECURITY, WHAT IS YOUR FIRM OR YOUR CLIENTS DOING TO AVOID ONE?
CURRENT LEGAL CASE UPDATES:
Goldman v. Sol Goldman Investments LLC, 20-CV-06727 (MKV)(SN), 2022 WL 2118199 (S.D.N.Y. June 13, 2022)
In this case alleging wrongful termination of Plaintiff by Defendants, a dispute arose in discovery regarding certain electronically stored information (ESI): (1) the records from Plaintiff’s work cell phone and (2) an email Plaintiff sent to his doctor on May 28, 2020. Id. at *1. After Plaintiff was fired in June 2020, he returned his work phone and laptop to Defendants. Before returning the phone, Plaintiff reset the phone to the factory setting, deleting the phone’s contents.
Plaintiff claimed that he reset the phone because he “received this work phone on the factory setting and believed [he] was supposed to return the phone in the same condition in which [he] received it” and because he thought “it would be easier for the next employee to use the phone if it had been re-set to the factory setting.”
Plaintiff further claimed that he did not believe resetting the phone would lead to any loss of information because Defendants maintained the phone records, and all of his emails were saved on their server. The evidence included a July 3, 2020, email in which Plaintiff wrote to a friend: “I erased the Solil phone .... Long story short, they would not send me my stuff and they didn’t send me FedEx labels for their computers.”
U.S. Magistrate Judge Sarah Netburn denied a motion for terminating and other sanctions based on the fact that Plaintiff had reset his employer-provided mobile phone before returning it to his employer, as well on as the non-production of certain emails. Ultimately, Magistrate Judge Netburn found that Defendants had not established the elements of a spoliation claim under Rule 37(e) and denied their request for sanctions. Id. at *5.
Ex-Twitter Employee Convicted of Feeding Users’ Confidential Info to Saudi Arabia
According to a press release issued by the Department of Justice, Ahmad Abouammo, a former Twitter employee, was found guilty of acting as a foreign agent on Wednesday. A jury in San Francisco, Calif. returned the guilty verdict on counts of conspiracy, wire fraud, international money laundering, and falsification of records in a federal investigation after a two week trial.
Doma Title Insurance, Inc. v. Avance Title, LLC, 2022 WL 2668530 (D. Md. July 11, 2022)
An order from the U.S. District Court for the District of Maryland finding that the Defendants’ boilerplate objections to discovery requests were insufficiently particularized to preserve their objections but permitting Defendants to supplement their objections rather than finding the objections waived.
Korotki v. Cooper Levenson, April Niedelman & Wagenheim, P.A., 2022 WL 2191519 (D.N.J. June 17, 2022)
An opinion from the U.S. District Court for the District of New Jersey quashing subpoenas seeking broad categories of documents and testimony, including copies of the Petitioner’s laptop and cellphone, but permitting the Plaintiff leave to re-serve a more narrowly tailored subpoena.
CYBER SECURITY TIPS OF THE MONTH:
Keep Home and Work Devices Separate
Logging into company platforms and accessing company data from multiple device locations creates more opportunities for hackers to find a security breach they can exploit.
Use Unique Passwords
Resist the temptation to use the same password for multiple devices or accounts in order to make them easier to remember. Instead, purchase a password manager. These programs encrypt your passwords to keep them safer but they also eliminate the need to remember anything but the master password you use to access the program.
Turn On Multi-Factor Authentication
Prevent unauthorized access to company platforms and accounts by turning on multi-factor authentication whenever possible.
Did you know that Digital4nx Group was recognized by Enterprise Security as one of the top ten digital forensics companies in 2022.
If you are an attorney who litigates, know one, or are a responsible business executive that's ass is on the line if a data breach occurs, I would love to have a call or introduction!
Please share the above information with those people or arrange an introduction. Look forward to seeing you in the flesh!
DON'T FORGET ABOUT US:
Digital4nx Group provides a blend of legal and technology services where we systematically identify, preserve, extract, analyze, and interpret digital evidence.
Our services are commonly used to:
- React and respond by providing litigation support services for plaintiffs or defendants, as well as providing expert testimony and consulting, both in and out of court.
- Proactively identify and provide insights on how to better secure your confidential data, technology, and compliance.
Cyber Security Services
Cyber incidents can be damaging to an organization, both in the short and long term. Digital4nx Group helps business leaders protect their “crown jewels” through reasonable, defensible, and cost-effective services... Before, During, and After a Data Incident! We offer a multi-disciplined approach to cyber services such as:
- Advanced “Ethical Hacking”
- Cyber Risk and Compliance Assessments
- Incident Response to Cyber Incidents or Data Breaches
- Cyber Security Awareness Training