The data breach at the U.S. Office of Personnel Management was one of the most serious and possibly one of the top 10 largest data breaches of the 21st century, compromising background investigation records for some 22 million current and former federal employees. But a class action lawsuit brought on behalf of those employees was recently dismissed for lack of Article III standing. In that case, In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig. (“OPM Data Security Breach”), the U.S. District Court for the District of Columbia concluded that, with the exception of two employees who had incurred unreimbursed out-of-pocket expenses to remedy actual identity theft, the named plaintiffs failed to establish injury-in-fact. The court reached this conclusion even with respect to plaintiffs who had incurred fraudulent charges (for which they ultimately did not have to pay), who alleged that they had suffered stress due to a fear of identity fraud, and who had purchased credit monitoring services. The court was influenced by reports that the breach had been perpetrated by the Chinese government, and did not jeopardize the kind of credit card or other financial information that could be useful in committing credit card fraud. Thus, the court in OPM Data Security Breach was not willing to make assumptions about the likelihood of future harm, although such claims are routinely made (albeit with mixed success) in the context of retail and financial establishment breaches that involve a theft of credit card information.
Every organization is exposed to information security threats daily. It is essential that organizations have an information security protection program that is properly designed, documented, executed, and updated to minimize exposure to information loss, disruption of operations, and liability to third parties and regulators. An effective cybersecurity risk management program requires an effective governance structure based on the organization’s risk appetite — just like the company would create for any other material risk. While the components of a cybersecurity risk management program may vary from organization to organization, certain key elements are generally common to all effective programs. One such element is the importance of user education, awareness, and training.
In an article for his CSO ‘Crossroads of Cybersecurity and the Law’ blog, “Employee Training Remains the Best First Line of Defense against Cybersecurity Breaches,” Foley & Lardner Partner Mike Overly, explains why companies need to prioritize employee training on current and future security issues if they want to avoid cybersecurity breaches. He also gives his top cybersecurity training tips and best practices within the article.
Foley & Lardner Partner Jennifer Rathburn is gearing up to host the November meeting of the Midwest Cyber Security Alliance. Jennifer will be joined by Joseph Abrenio, Founder and CEO of CyberSquire, and John Orbe, Vice President, Government, Education & Medical, Americas Enterprise at Juniper Networks.
SAVE THE DATE: November 30, 2017 from 3:00 p.m. to 8:30 p.m. Venture Cafe is located at One Broadway, 5th Floor, Cambridge, MA 02142. Please join us for all or a portion of the event.
We are excited to announce that Foley’s 2017 Telemedicine and Digital Health Survey is now available on foley.com. When we launched Foley’s inaugural Telemedicine and Digital Health Survey in 2014, health care executives weren’t ready to make telemedicine a significant focus of their business and patient strategies. In fact, 87 percent of respondents did not expect their patients to be using telemedicine services by this time. Continue reading this entry