The global coronavirus pandemic continues on, and the cyberattacks and scams continue to multiply.  In the midst of the pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed at infecting computers with malware or obtaining sensitive, personal information.  Below are some of the latest examples of attacks and vulnerabilities to be aware of:

Continue Reading Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It

In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.

For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.


Continue Reading Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS

In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.
Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability

For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

Continue Reading Effective Incident Response Requires Good Cyber Exercise—Is Your Company in Shape?

Welcome back to our three-part series examining cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. In Part Two, we reviewed different types and  trends of cyberattacks. Here, we will outline how family offices can defend against cyberattacks.

How Family Offices Can Defend Against Cyberattacks

Over a quarter of multi-million dollar family offices do not have dedicated cybersecurity policies in place to protect their systems. This may be because they do not view themselves as needing an onerous cybersecurity policy. However, this view is short-sighted and can leave family offices subject to heavy losses. Family offices do not need to implement large scale or particularly burdensome policies or procedures. Rather, they can build specialized, flexible programs by utilizing a consultant that is reactive to ongoing and updating threats.
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part III)

Welcome back to our three-part series examining vulnerabilities surrounding family offices and steps they can take to mitigate those risks. In Part One we discussed how family offices are particularly vulnerable to cyber-crime. Here, we will review different types and trends of cyberattacks.

Cyberattack Trends

Most cyberattacks are the result of “phishing” emails. “Phishing” refers to a deceptive effort to obtain the recipient’s sensitive information by disguising the sender as someone the recipient knows and would trust. Phishing recipients can be deceived into downloading malicious software, providing personal information like account numbers or PINs, wiring funds or paying invoices to cyber-criminals. Ransomware is malware that denies the victim access to their system’s files until the victim pays a ransom. While malware can also take the form of “drive-by” downloading when a victim visits a website prompting the malware to download, over 90% of malware is still delivered via email.
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats? (Part II)

At least 25% of family offices have been subjects of cyberattacks, and nearly 40% of them lack a cyber security policy. Welcome to a three-part series that will examine the cyber vulnerabilities surrounding family offices and steps they can take to mitigate those risks.

Family Offices Are Particularly Vulnerable to Cyber-Crime

As part of the global increase in the number of billionaires worldwide, family offices have evolved from little more than holding companies to highly sophisticated financial firms managing family wealth, administering assets and acting like a typical private equity or debt fund. Family offices are managing almost 50% of Ultra High Net Worth family wealth. Given the vast amount of wealth that family offices support, they are prime targets for cyber crime, which some analysts project will account for a global $6 trillion cost by 2021.  The fact that nearly 40% of family offices do not even have a cybersecurity policy in place highlights the need for improvement when it comes to making themselves less vulnerable to cybercrime. 
Continue Reading What is Your Family Office Doing to Protect Itself From Security Threats?

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue.
Continue Reading The General Data Protection Regulation’s First Birthday

The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.

Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms.
Continue Reading Implications of Brexit on GDPR