The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.
Imagine it is a Friday afternoon. A doctor at the hospital you work for as in-house counsel or as outside counsel to the hospital calls you in a frenzy. All her computers are locked up by some malicious software demanding a ransom. The ransom note says patient records will be sold if she does not pay the ransom. She asks what she should do next: should she pay the ransom? Should she contact law enforcement? Is she going to need to notify her patients or government officials or the medical board?
The U.S. privacy laws are a patchwork of state and federal regulations. Whether you practice in the privacy and data security space or not, these issues will likely one day affect your organization where you work as in-house counsel or your clients calling you as outside counsel for help. In this digital world we live in, all attorneys can benefit from understanding the basics of how to respond to an alleged security incident.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-10-19 10:08:132021-10-19 10:08:13Do You Know How to Respond in the Event of a Security Incident?
The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.
Historically, entities have looked at cybersecurity as a process of hardening their own defenses against more traditional attack vectors. However, recent attacks against suppliers, such as SolarWinds, Kaseya, Microsoft and others, have made headlines for the cascading effects of their data breaches. These attacks against supply chains, third party vendors, business associates, or any other trusted third party can have devastating impacts on downstream customers and clients. We’ve arrived at a time when having strong technical controls and processes for your networks and systems, while critical, may not sufficiently protect an organization’s interests. Legal protections from a vendor management program are needed as well. And the stakes are high for organizations looking to manage cyber risk: the most recent study by the Ponemon Institute found that the average cost of a data breach in the USA was over $8 million. While this sounds like an astronomical amount, even the smallest clients can easily reach this amount considering that the same study found that the per-record cost of a data breach was a tad under $150, meaning, a breach with even 1000 records could have all-in costs in the six figures.
During the CLE, attendees will learn about common sticking points in negotiations with suppliers, practical tips on developing a third-party risk management program, and frameworks used by governments and other organizations for managing those risks.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-10-15 10:53:562021-10-15 10:59:40Avoiding a SolarWinds in Your Business
The following excerpt is part of a series of blog posts on topics that will be discussed at the NCBA Privacy and Data Security Section Annual CLE. If you are interested in learning more, then please join us. Register for the program here.
There is a lot of talk, but not a lot of clear law, about artificial intelligence (AI) in the United States. Most resources reflect a common agreement on AI: it is machine based; it is a system; it addresses human objectives; it uses algorithms designed by humans; it makes predictions, recommendations and/or decisions; it is designed to evolve; and while it can do much good, it poses great risks and something should be done about regulating it.
Stakeholders also generally seem to agree on the risks posed by AI. First, the underlying data – both training data and data processed by the AI – may not be accurate. Second, the AI model has to learn to perform its function by processing large volumes of data. Collecting that data can implicate privacy laws (i.e., disclosure and consent), and there are risks for the model if the data set lacks “integrity” (i.e., the data is not sound – garbage in/garbage out). Third, the algorithm could be biased. It is, after all, developed by humans, and humans bring their own presumptions and biases to their work. Fourth, unreliable or biased AI can have serious consequences for individuals, including denial of employment, credit, housing, due process and other rights, including privacy. Consider the now infamous example of Target using AI to determine that a teenage girl was pregnant and sending her coupons in the mail for diapers and other baby items, which were discovered by the teen’s dad. Where AI has been addressed by courts, legislation or federal agencies, the focus has been on balancing these risks against the benefits of AI. Transparency (notice), data integrity, nondiscrimination, validation, impact assessments and continuous monitoring are common themes. The following summarizes some materials reflecting the trajectory of AI regulation in the USA.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-10-13 12:16:422021-10-13 12:16:42AI in the USA
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-10-11 14:56:362021-10-11 15:40:052021 Privacy and Data Security Section Program – Details and Registration
The tidal wave of COVID-19 cases was not the only challenge faced in 2021. Blown away by the marked increase in ransomware attacks, both public and private sectors prioritized consumer privacy and data security. Light as rain, the privacy legislation emphasizing consumer choices and business obligations to defend against emerging cybersecurity threats trickled in, while Virginia and Colorado stormed in, passing comprehensive, state-level privacy laws. This whirlwind of legislation with a forecast of more to come, makes it important for all practitioners advising on privacy and data security matters to understand the storm surge of risks created during the 2021 privacy landscape shift.
The SolarWinds of Change 2021 Privacy and Data Security CLE program will update attendees on recent developments in privacy legislation, address ethical considerations in an era of emerging challenges and technology, take artificial intelligence by storm, and provide practical legal guidance on navigating vendor contracting issues based on lessons learned from the SolarWinds incident.
The program will provide 6.0 hours of CLE (including an ethics/professional responsibility hour and technology training hour) and is planned for both in-person and live webcast options. The full agenda and registration details can be found by clicking here.
Mark your calendars for Windsday . . . no, Thursday, October 28, 2021.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-09-13 15:41:372021-09-13 15:41:37Do Not Get Caught in the SolarWinds of Change!
Now that the situation at the pump seems to have recovered and returned to normal, it is time to figure out what actually happened in the Colonial pipeline attack and what lessons, if any, we can learn from yet another high profile cyberattack involving ransomware.
First, a few introductory words and some background on ransomware: ransomware is a common form of cyberattack in our time, and it involves attackers deploying code onto the victim’s network that results in encrypting files and folders throughout the network. According to the FBI, the best way to contain the attack is to block the code from moving across the network. For recovery from the attack, companies often rely on sound backup practices that allow them to restore encrypted files and folders without losing too much data. Of course, victims of ransomware attacks can also pay ransom, but that practice is still discouraged by the FBI and in some cases actually forbidden since the groups behind the attack are deemed sanctioned foreign entities.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-06-10 10:00:502021-07-02 11:34:55Network Segmentation – Perhaps the Only Piece of Good News From the Colonial Pipeline Hack
In December 2020, as many of us were watching all things political and pandemic, current events eclipsed a serious breaking story. The SolarWinds hack exposed a level of data across the nation that was — to use the oft-turned phrase for 2020 — “unprecedented.” Not to be outdone, 2021 has now given America a data breach through the Microsoft Exchange email software that (conservatively) affected 60,000 organizations, spanning every level of size and sophistication. Read more
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-03-29 12:38:252021-03-29 12:38:25Managing Risk in Technology Supply Chains After SolarWinds
Happy spring! We are beginning to add resources to our online library, including recordings of two recent discussions from last week: (1) the joint YLD/PDS specialist discussion from March 16, “Becoming a Privacy Law Specialist: Exploring NC’s Newest Legal Specialization,” and (2) the Fireside Chat from March 17, “Managing Third-Party Privacy and Security Risks.”
We invite you to review the materials if you weren’t able to join or to revisit the materials at your leisure.
Here is a reminder of how to navigate the library.
How Do I Access the Library?
Click on “Communities.”
Scroll and find your community.
Click on the “Library” tab.
How Do I Find Content in the Library?
On the left side under folders, you will see varying folders.
When you click on a folder, the contents of the folder will pop up on the right side under “Folder Contents.”
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-03-22 15:28:272021-03-22 15:37:14Privacy and Data Security Section Updates and Library How-To
SolarWinds made a name for itself as the developer of tools for network monitoring that help small and large companies efficiently run their environment. While not a security-focused company from a product standpoint, the understanding was that the code behind SolarWinds’ tools was protected as intellectual property and that updates were safe to run until it turned out that both of these assumptions were wrong.
How Was the Compromise Detected?
In late 2020, FireEye, a company focused on cybersecurity and internationally involved in helping companies post cyber incident, detected some unusual activity on the FireEye network. FireEye detected it was hacked after the attackers tried to register a device to FireEye’s multi-factor authentication system using stolen credentials. The system then notified the employee, whose credentials were stolen, and alerted the FireEye security team of this new device. This notice triggered an internal investigation to learn who was trying to register this device. FireEye performed in-depth code analysis and determined that the intrusion originated with a SolarWinds product called Orion. Some analysts believe that attacking FireEye was a mistake by the attackers since it sped up detection of the SolarWinds hack. Read more
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2021-03-17 12:04:162021-03-23 09:31:16SolarWinds – What Do We Know and What Can We Learn From It?
The North Carolina State Bar’s Rules of Professional Conduct mandates attorneys in this state to uphold a duty of competence in their practice. Under Rule 1.1, competence in representation “requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary.” Competent and zealous representation for an attorney’s clients is of highest priority. Monitoring changes in case law and the broader legal landscape is imperative to maintain this knowledge and skill.
https://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.png00Privacy and Data Securityhttps://ncbarblogprod.wpengine.com/wp-content/uploads/2018/06/Blog-Header-1-1030x530.pngPrivacy and Data Security2020-12-09 11:16:352020-12-09 11:28:55Reconciling Emerging Technologies with North Carolina’s Duty of Competence
By Angela Doughty and Peter McClelland
By 
By 
By 
By 
By