Tag Archives: Goodwin Procter

Security News for the Week Ending February 12, 2021

Law Firm Goodwin Procter Hacked

Goodwin Procter managing parnter Mark Bettencourt confirmed that some of their clients’ data was compromised. But not to worry; it only affected a small percentage of their clients. One more time, we have a “supply chain attack”. While the vendor was unnamed, I suspect it was Accellion. They suffered a breach that is all over the news due to the high profile targets that suffered a loss. So now a very high profile law firm has to explain to its clients why its security was not good enough to protect their most sensitive data. If you are a client of a law firm, how confident are you that they can protect your data? Credit: ABA Journal

What Does This Mean for Cities?

Salesforce is joining other big tech companies in changing the work-life equation. This week they announced that most staff, after Covid, will only be in the office 1-3 days a week, many workers will never return to the office and a few workers will be in the office 4-5 days a week. This means that work from home security is now permanent, but it also questions the implications for downtown big cities. Salesforce has 9,000 workers in San Francisco. If half of them never come to the office and another 30% come to the office 1-2 days a week, what does this mean for downtown retail and office space? Credit: MSN

State Department Declassifies Report on Cuba’s Sonic Weapon

You may remember reports of Cuba having a secret sonic weapon back in 2017-2018. A newly declassified report by the State Department’s own Accountability Review Board lambasted the department’s response to the attack as lacking leadership, having ineffective communication and being systemically disorganized. There are 104 pages of detail, but none of them paint the previous administration favorably. As a result of the botched investigation we will probably never understand what the weapon was that Cuba attacked us with. Credit: Vice

Ex-Students Plead Guilty to Stealing and Trading Nude Pics and Vids

Two former SUNY Plattsburgh (NY) students pleaded guilty to hacking coeds’ MyPlattsurgh portal accounts and stealing nude pictures and videos. The portal contains full access to the students’ email, cloud storage, college billing, financial aid, coursework, grades and other personal information. They either guessed passwords or guessed security question answers. When the found nude photos and videos, they traded them with others, in some cases identifying the students by name. They even posted some photos online. Credit: The Register

IRS Warns Tax Pros of Identity Thieves Targeting Them

The IRS is warning tax professionals hackers are trying to steal their electronic tax filing credentials so that they can file fake returns and those returns will be tied to those same tax pros. If you are a tax pro and need help, please contact us. Credit: Bleeping Computer

This (cyber security) is not a server room issue

For anyone who has listened to me over the last 10 years, this is old news.  I have been saying that cyber security is no longer an IT problem, but rather a Board Room problem.

Now I am getting some support from an interesting place.

Gus Coldebella, former general counsel at the Department Of Homeland Security and now a partner at Goodwin Procter (the 38th wealthiest U.S. law firm with about 900 attorneys) is saying it too.

In a white paper for the security firm Bit9+Carbon Black, Coldebella says:

If there is one overarching success that we in the cybersecurity community can claim over the last year to 18 months, it’s that the mantra “this is not a server room issue, it’s a boardroom issue” has finally started to take hold.

I might argue about how well it is taking hold, but there is certainly a lot of discussion about that subject, which is a good start.  Probably, at Target and Home Depot, it IS a boardroom issue, but what about the millions of mid-tier companies?

Coldebella (and I) recommend a top to bottom risk assessment, considering risk, vulnerability and consequence.  I would say this should be part of any merger, acquisition or major investment, as well.

Coldella further says that companies have probably over invested in protecting PII and under invested in protecting corporate information that could cause more long term harm.

To assess vulnerability, the company must, in light of the digital assets that it has, ask high-level strategic questions: What data might the attackers be interested in? How is it safeguarded? What systems are in place to let the company know that that data has been exfiltrated or tampered with? And if the data is stolen or altered, who will be affected, and how can the company recover? Companies are starting to realize that the bad guys aren’t just interested in personally identifiable information. For too long, companies have focused on, and probably overinvested in, PII security, because PII generally requires some disclosure under various states’ laws. This seems to have resulted in underinvestment in the security of other digital assets—such as intellectual property, executive communications about sensitive matters such as M&A transactions, other important business and financial information, and even private conversations that could be embarrassing or worse if disclosed—all of which could cause more harm to a company’s reputation, value, and future   prospects than even a PII breach could.

One last quote – Director’s liability

This is not a “one-and-done” board meeting. Boards of
directors must remain vigilantly focused on security of a company’s digital assets, given that the threat is always changing and the adversary is constantly improving. Under the Caremark standard (after Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996)), members of boards of directors could be found to have violated their duty of loyalty—and could be held legally liable—if they fail to oversee management’s approach to cybersecurity, so from a corporate governance point of view, it is better for the board of directors to act than not to act.

It is fair to say that Gus is an attorney and he practices cyber security law, so he also has a vested interest in the subject, but it is also fair to say that Goodwin Procter likely has a pretty good legal department, so they are not going to let him say anything they don’t believe.