Targeted: Companies Face Emerging Regulatory and Cybersecurity Threats in 2018
Following a year where companies were targeted in breaches that compromised personal information of more than half of the U.S. population, regulators are moving away from voluntary cybersecurity compliance to comprehensive regulation and enforcement.
January 16, 2018 at 12:00 PM
5 minute read
Following a year where companies were targeted in breaches that compromised personal information of more than half of the U.S. population, regulators are moving away from voluntary cybersecurity compliance to comprehensive regulation and enforcement. Cybersecurity threats continue to escalate and evolve, and companies must prepare for the increased regulatory scrutiny and mandatory state, federal and international cybersecurity frameworks. This article explores key cybersecurity trends for 2018, provides an overview of changing regulatory frameworks, and outlines practical steps for companies to combat evolving cyber threats.
Key Cybersecurity Trends for 2018
Ransomware—the number of ransomware attacks exploded in 2017 nearly fourfold. Ransomware encrypts files with a private key that only the attacker possesses. Attacks became more sophisticated and were aimed at mobile phones as well as computers. Cryptocurrency, most notably Bitcoin, has provided ransomware attackers a difficult-to-trace way to collect from their targets. No industry has been spared from ransomware attacks, which can occur through malicious emails or websites. The highly publicized and unprecedented “WannaCry” attack showed just how pervasive and quick-moving these attacks can be. In 2018, expect to see greater sophistication in both protection mechanisms and the attacks themselves, as perpetrators find innovative ways to exploit expanded technology and circumvent prior protective measures.
Sophisticated phishing—Phishing will likely continue to be one of the most effective cyberattack in 2018, as attackers have seen that even a slow-burning attack can yield a huge payout. Cybercriminals in 2017 perpetrated a Netflix phishing attack that thwarted many common protections currently used by spam filters, including mirroring html code from Netflix's own site and buying credible URLs to host its malicious pages. Other schemes targeted specific safety features embedded in well-known email clients, such as Office 365. Attackers are willing to take their time to social engineer the results they desire, and companies must respond with rigorous training for employees as well as consider implementing new digital safeguards with programs that detect impersonation and natural language processing that accompanies machines using Artificial Intelligence (AI) to enable their attacks.
Cyber destruction—In 2017, there was also a surge of attacks aimed not necessarily at monetary gain but for the sake of destruction alone. These attacks, sometimes cloaked under the guise of ransomware, have been used for political gain. Perpetrators of these destructive attacks have targeted not only companies, but key infrastructure players, including power plants and utility companies.
|Overview of Changing Regulatory Frameworks
The much-discussed General Data Protection Regulation (GDPR) goes into effect May 25, 2018. The GDPR introduces a host of new regulations for data controllers and processors, aimed at giving individuals more control over their personal data. Although European companies (and those companies that handle data of EU citizens) have had two years to become GDPR-compliant, it is likely that many have not and non-compliant organizations may be used as an example. For the rest of 2018, the world will see what strong regulations look like in practice, and may begin to mirror their own regulations after those of the EU if the GDPR proves successful.
The United States still depends on a state-by-state framework for most cyber law. In March 2017, New York's Department of Financial Services (DFS) cybersecurity regulation, 23 NYCRR 500, went into effect, mandating minimum standards for all banking, insurance, and brokerage firms using a license to operate in New York. The DFS regulation requires, among other things, every entity to have a cybersecurity plan to protect users' data, have a senior security officer and training for employees, and submit a yearly statement of compliance. There are also tighter regulations related to third-party vendors. The DFS Regulation is thought to be the strictest of its kind in the United States. Other states, including Colorado with its Rule 51-4.8 Broker-Dealer Cybersecurity regulation, followed suit with their own regulations. It appears that the days of voluntary compliance with cybersecurity norms are slowly coming to an end.
On a national level, President Trump signed the 2018 National Defense Authorization Act in December 2017, which attempts to clarify the U.S.'s position on cyberattacks and cyber warfare, both offensive and defensive. We anticipate that President Trump will define what “cyber warfare” is and develop a plan to be approved by Congress (Sec. 1633), while the Defense Secretary is charged with streamlining current cyber initiatives. Other federal agencies are also raising the stakes. The FTC continues its strong enforcement and the SEC has signaled forthcoming Commission-level cybersecurity regulations. 2018 will likely be a seismic shift in the way that cybersecurity is addressed in the United States and the world.
|Practical Steps to Implement Now
- Recognize and socialize the idea that no company is “completely safe” and it is better to be proactive and contain any breach. Conduct gap analyses and penetration testing to proactively identify weaknesses.
- Prepare an incident response plan for when you are the victim of an attack.
- Train your employees, including upper level management, through tabletop exercises and security training. Follow up on weaknesses to maintain competency.
- Ensure that your organization has a senior security officer. If a senior security officer in already in place, empower that individual in the workplace.
As the sophistication and damage from cyberattacks continue to rise, companies should expect that federal, state, and international cybersecurity regulations will become more rigorous. Preparing for the worst in advance can make the difference between a successful and unsuccessful breach response.
Michelle Reed is a partner in the Dallas office and co-leader of Akin Gump Strauss Hauer & Feld's cybersecurity, privacy, and data protection practice. Lauren York is an associate in Akin Gump's Dallas office. They advise clients on data breach investigations, notifications, and subsequent litigation.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
From ‘Deep Sadness’ to Little Concern, Gaetz’s Nomination Draws Sharp Reaction From Lawyers
7 minute read
Actions Speak Louder Than Words: Law Firms Shrink From 'Performative' Statements
6 minute read
Law Firm Diversity Pros Fear for Future of DEI Efforts Under Trump Presidency
Trending Stories
- 1'America's Next Top Model' Contestant Says Ye Assaulted Her
- 2LexisNexis Responds to Canadian Professor’s Criticism of Lexis+ AI
- 3'Everything Leaves a Digital Footprint': How to Navigate the Complexities of Internal Investigations
- 4Baker McKenzie Accepts Defeat on Australian Integration With Firm's Asia Practice
- 5PepsiCo's Legal Team Champions Diversity, Wellness, and Mentorship to Shape a Thriving Corporate Culture
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
