Register now for a full day of educational programs at our 2022 Labor and Employment Seminars! October 6-24 | Multiple Locations

Cybersecurity & Data Privacy

Contact Us
135+
Years of
Serving Businesses
40+
Practicing Areas
of Law
50+
Cross-disciplinary
Attorneys
Cybersecurity & Data Privacy

Today, “data” is a critical business resource, just like personnel, equipment, and capital. Virtually every business has become “data-intensive,” and for many businesses, their data holds significant economic value to them, their employees, and their competitors. That data, and the systems that process and store it, are subject to a wide variety of threats from both internal and external sources. Cybersecurity is something no business can afford to ignore. It’s a common misconception that threat actors primarily go after large companies. Cybercriminals are increasingly — and aggressively — finding small and medium-sized businesses (SMB) to be desirable targets. Vandeventer Black’s cybersecurity and data privacy team have the resources and expertise to guide businesses of any size in managing cyber threats and maintaining data security and privacy compliance.  

Companies that are proactive when it comes to implementing cybersecurity preventatives, solutions, and response plans will significantly increase their chances of mitigating cybersecurity incidents, as well as their consequences. Certain types of data are subject to federal and state regulatory requirements involving its storage, use, and unauthorized disclosure, and the failure to understand and follow these requirements can result in significant penalties, expense, and lost revenue. 

Vandeventer Black LLP has the expertise that companies need to mitigate cybersecurity incidents and/or help them navigate the complex legal and regulatory issues that arise after an event occurs. Our law firm takes a holistic “total business” approach to cybersecurity and data privacy by providing practical, real-world approaches to address the entire spectrum of cybersecurity and data privacy issues.  We provide guidance and assist businesses, both large and small, in managing the complex challenges associated with cybersecurity and data privacy. 

What Is Cybersecurity?

Cybersecurity is the process of establishing policies and procedures to protect networks, devices, and data from breach, loss, or unauthorized access and to protect the confidentiality, integrity, and availability of data. 

Vandeventer Black can help companies develop policies and procedures to minimize cybersecurity incidents and to mitigate incidents that do occur, through data breach planning, response, management services. We provide counsel to both pursue responsible persons and defend against resulting incident claims as well as guide our clients through the entire investigation process.

While larger companies may possess the resources to absorb the losses, many small to medium-sized businesses may be unable to recover from a data breach.  Even a small data breach affecting only a few thousand records could expose a business to significant losses and business interruption, with devastating impact, and may even cause a business to close.

Data Security and Data Protection

Your data is a significant component of your company’s ecosystem and includes files, databases, email accounts, and networks. Essentially, it’s your business’s lifeline. If a loss or exposure occurs, your company may have significant difficulty continuing operations. Not to mention, the business would be exposed to costly legal entanglements that could last years. Employing strong data security and data protection measures mitigates these risks by adopting a set of controls, techniques, and applications that identify the importance of data subsets and applying the right security mechanisms.

Protection of Intellectual Property Against Hackers

Intellectual property is an important asset of any business. Besides taking the steps to acquire patents, trademarks, and copyrights for all of your IP assets and protecting trade secrets, preventative measures to protect your business’s intellectual property  is vital. This includes new or in-development ideas that cannot yet be trademarked, and other proprietary information not protected under individual IP laws. Hackers are well aware of the value of your intellectual property and actively pursue cyber attacks to obtain it, especially through ransomware attacks. Taking steps to legally protect your intellectual property should be a priority.  

Data Privacy Legal Matters

Failure to follow data privacy laws can cause a business to incur significant penalties. If your company were to inadvertently expose data, it could be liable under various federal, state, and international laws. Regulatory agencies or governments may take action against companies they believe failed to implement and maintain reasonable security measures, didn’t follow a published privacy policy, transferred personal data not disclosed on its privacy policy, lied to consumers about privacy policies, violated a consumer’s rights, or failed to implement sufficient security measures to protect data.  

Our attorneys advise companies across a broad range of industries on state, federal, and international data privacy laws. In addition to helping clients understand and address complex and constantly evolving privacy laws generally, we also advise clients on privacy and security implications associated with such matters as mergers and acquisitions, outsourcing arrangements, government contracting, and other transactions.

What Are Some Common Cybersecurity Risks?

Cybersecurity risks come in many shapes and forms. Businesses of all sizes should be aware of and consider the problems that can result from the following risks:

Phishing/Email Spoofing

Phishing attacks continue to be a source of risk and often occur through spoofed emails.  Email spoofing occurs when threat actors send emails using forged sender addresses. In other words, these emails are carefully crafted and designed to deceive the recipient into believing the communication to be legitimate. If the recipient trusts the sender, they’ll be more likely to click links, download attachments, or take other-directed actions. When spoofs are successful, the cybercriminal can gain access to business networks, compromising business data. 

Cyberattacks

There are many types of cyberattacks that may result in data breaches. These attacks include, phishing and spear-phishing, DDoS (distributed denial of service) attacks, ransomware, social engineering (online and offline), malware, drive-by, and cross-site scripting attacks. Cybercriminals consistently work to stay one step ahead and use new strategies to mitigate protective measures businesses employ. All businesses need to make investments to consistently stay on top of cyber threats.

Malware

Malware is a type of malicious software that is designed to disrupt, damage, or gain unauthorized access to a computer system.  Types of malware include viruses, worms, trojans, spyware, and ransomware. Whether launched by cybercriminals, cyber terrorists, insiders, or foreign states, any industry is vulnerable to these attacks.  As the world moves towards automation, interconnectivity, and reliance on cyber systems increases, so do the vulnerabilities of the industry. While no counter-measures can completely eliminate the risk of being infected by malware, implementing best practices can help reduce an organization’s overall risk of a significant threat.

Ransomware Attacks

Ransomware has been one of the top cyber threats in the past several years. Thanks to the WannaCry attack of 2017 and others, most people have heard of this type of cyber threat, but many do not know how it works, how to protect against it, or what to do if they are infected.

What is Ransomware?

Often delivered through phishing emails, or through exploit kits used by hackers to exploit software vulnerabilities such as compromised websites or “free” versions of software, ransomware is a form of malicious software (malware) that blocks user access to a device or files, usually by encryption until the victim pays a ransom. Once a victim’s files are encrypted, attackers display a screen or webpage that explains how to pay the ransom (in digital currency, such as Bitcoin) and unlock the files with a decryption key.  In addition, the latest trend is for attackers to leak or “exfiltrate” victims’ data to the Dark Web, demanding victims pay a second ransom for the return of their data. Although it has been around for years, ransomware has become increasingly prevalent, and with so many variants available, it can now be purchased on a subscription basis (Ransomware-as-a-Service), allowing even novice cybercriminals to launch attacks.   

While no amount of planning can completely eliminate cyber risk, understanding how ransomware works is an important part of any business’s cyber risk management plan. Our cybersecurity lawyers are knowledgeable and experienced in helping businesses reduce ransomware risks.

Sensitive Data Leaks

Employees are usually at the center of cybersecurity incidents that lead to sensitive data leaks whether it’s on purpose or by accident.  People can and do accidentally email files to the wrong recipients, click on malicious links, download bad attachments, lose laptops and other devices, fall for social engineering scams, or find themselves leaving the company vulnerable in other circumstances.

Unauthorized Access to Company Systems

In the past, cybercriminals had to either physically break into a building or find a way to illicitly hack into a company’s network or computers. Today, many businesses utilize cloud computing for various reasons.  However, even with cloud computing, there are still risks involved as cloud-based applications give threat actors another venue to gain unauthorized access. Furthermore, increased connectivity also presents risks since hackers often target vendors or others you do business with, who may be less secure, providing additional cyber attack vectors to exploit.

Significant Security Issues With Employees Using Personal Devices To Perform Company Work

Employees using devices for both personal and business purposes represent a potential liability. Employees can accidentally download malware or click on a link designed to exploit credentials, giving access to your company’s network. 

What Are the Legal Ramifications of Cybersecurity Issues?

There is a link between data breaches and a business’s deficiencies in managing its data and the data of others. There are also legal ramifications tied to these deficiencies.  All companies that fall short of reasonable expectations can and should expect to face stiff penalties. Developing and following appropriate cybersecurity policies and procedures and having contingency plans to protect your company will reduce the risk of legal ramifications, which can be serious and financially ruin your company.

Government Fines

Regulatory compliance is critical.  Businesses are responsible for adhering to numerous federal, state, and international laws, depending on the industry they are in and the data they manage. Failure to comply can result in government-imposed fines.  Some laws/regulations include the Health Insurance Portability and Accountability Act (HIPAA), Securities and Exchange Commission (SEC) requirements, Fair Credit Reporting Act (FCRA), Gramm–Leach Bliley Act (GLBA), the soon to be implemented Virginia Consumer Data Protection Act (VCDPA), California Consumer Privacy Act/ California Privacy Rights Act of 2020 (CCPA/CPRA), and the EU’s General Data Protection Regulation (GDPR).

Litigation

Businesses that experience a data breach can be subject to litigation in the form of both individual private, class-action, and government lawsuits. If a court finds a business negligent or non-compliant, that business can face significant financial consequences.   Government agencies take cybersecurity incidents seriously, and so should your business. Lawsuits are not limited to reimbursing victims for exposed personal data or credit card losses due to fraud. Companies can be held liable for multiple categories of damages, and these are legal complexities that continue to evolve. One of our core practice areas is litigation. We are experienced in representing clients in both state and federal courts, including multi-state litigations, within several jurisdictions.  

What Do You Need To Do To Protect Your Business From Cybersecurity Risks?

Businesses can protect themselves cybersecurity risks and the risk of penalties, by taking preventative action. Failing to be proactive is not an option for businesses because the risks and costs of inaction are too high. The following are several essential steps businesses can take.

Ensure Proper Security Measures Are in Place

To protect against cybersecurity incidents, businesses should put protective security measures in place. Nothing is 100% certain, but by implementing a preventative course of action, including biometric solutions, multi-factor authentication, patching, utilizing virtual private networks (VPN), and others, business will be better able to protect their data. Additionally, businesses will be prepared to show regulatory agencies and courts that they pursued reasonable protection measures to prevent a cyberattack from occurring.

Consider Cyber Insurance

Cyber liability insurance is increasingly becoming an essential element in the overall risk management strategy for many businesses since it can help cover financial losses suffered as a consequence of a cyber attack. It can also cover legal services to help businesses meet state and federal regulations, victim notifications, extortion paid to demands for ransom, lost income from network outages, and other fines and legal costs. 

Some insurance companies offer customers cyber liability policies specific to cyber risks, including those risks associated with data breaches. These policies can vary in terms of their coverages and exclusions.  In general, these policies typically offer both first-party and third-party coverages.

It is important to review any policy and its exclusions before purchasing to understand the potential limitations in coverage. Failure to do so can lead to uncertainty and can expose a business to coverage disputes, frequently at the worst possible time – after a breach has already occurred.

The language used in these policies can be complex, and it may not be easy for businesses to identify and understand potential gaps in coverage. It is important for businesses to have a thorough understanding of their risk profile when applying for coverage. Our cybersecurity attorneys have experience working with insurers who provide first-party and/or third-party cyber liability coverage.

Have an Incident Response Plan

Every day, businesses manage  confidential information that needs safeguarding. Developing and practicing an incident response plan helps businesses know what to do if a cybersecurity event occurs. In the middle of an incident, every minute matters. 

From securing a business’s network, to notifying victims, to notifying law enforcement, to responding to media inquiries, an incident response plan is a blueprint to ensure nothing is missed. Our practice develops and reviews cybersecurity incident response plans as well as policies and procedures addressing disaster recovery and business interruption.  

Notify Victims if Data Breaches Occur

After a breach occurs, businesses will likely need to send a breach notification to affected individuals or businesses. The federal government, all states, and the District of Columbia, Puerto Rico, the Virgin Islands the European Union, and other countries have enacted specific legislation related to notifying victims about security breaches. Obtaining legal counsel to assist is crucial in order to understand what notifications are required in accordance with applicable laws. Also, it is important to consider if the business maintains health records; HIPAA has its own requirements.

Notify Law Enforcement if Data Breaches Occur

Sometimes businesses do not realize for weeks, months, or even longer that they’ve been breached. Ignorance is not an excuse under the law; obtaining expert legal support will ensure the company is protected.  In addition, legal counsel can assist businesses when notifying law enforcement when a data breach is discovered. 

Get Legal Help From an Attorney if You Have a Breach That Puts Client Information at Risk

If your company processes, transmits, and stores client information, your company is at risk. Any company that suffers a data security breach or ransomware attack should understand the importance of speaking with competent legal counsel with experience in cyber threats and remediation. Numerous legal implications can arise, and you’ll need legal counsel by your side who can help you navigate what can quickly become a complex legal situation. In addition to alerting clients of data breaches, businesses will likely need to notify other stakeholders, including service providers and insurance carriers.

Do I Need a Cybersecurity Law Firm?

Short answer: Yes. You need legal representation from attorneys who fully understand the consequences of data breaches and other security incidents — not only to be proactive but also reactive if an event does occur. Threat actors typically assume SMBs don’t have the personnel, budgets, and other resources to ensure adequate cybersecurity. Therefore, they assume these businesses won’t be protected. At our firm, we understand the unique challenges and needs of these companies. Therefore, we have developed customized and cost-effective legal services specifically for SMBs. Our subscription and general counsel practice is tailored for companies with limited resources. 

Here is a look at what our experienced law firm can do for your business:

Get Help Evaluating Security Safeguards

A knowledgeable Vandeventer Black attorney will examine your business’s policies, protocols, and other factors to examine what you have in place and what you might be missing. They’ll evaluate and identify deficiencies in crucial data security safeguards that would potentially be devastating to the business. If any are identified, they’ll work with you to address those deficiencies. 

Get Help Responding Properly to a Breach

Companies that don’t respond properly to a data breach are likely to suffer severe consequences, including damage to their financial status and reputation, intellectual property losses, and other hidden costs. Having general counsel by your side during this crucial period helps ensure the business is protected.

Get Help Creating Compliant Security Policies and Notices 

To reduce the risk of security incidents, all companies should develop robust information security policies and security practices and keep them up to date. Implementing these polices and practices increases compliance and provides company leadership with a roadmap of outlined procedures to follow in the event of a cyber security incident or data breach. 

How Vandeventer Black Can Assist with Cybersecurity Concerns

The corporate and business attorneys at Vandeventer Black are ready to assist you with cybersecurity concerns and help your company develop policies and procedures to minimize cybersecurity incidents and address any that occur. Our team is also prepared to provide crisis management planning and data breach response services.

Knowledge of Federal and State Data Privacy/Cybercrime Laws

The federal Computer Fraud and Abuse Act (CFAA) is a law that dates back to 1986 and has been amended numerous times.  It is likely this important law will continue to change and if so, you’ll want an experienced legal team who can apply this law if circumstances arise.

Aside from federal laws and agency regulations, many states and jurisdictions have their own legal requirements, such as those found in the recently enacted Virginia Computer Crimes Act, the California Consumer Privacy Act, or the General Data Protection Regulation (GDPR). Additionally, states are continuously adding requirements or passing new laws. Our experienced attorneys can help your company comply with not only with your home state’s laws but with the laws of other jurisdictions that are applicable to your business. Due to the borderless nature of the internet, your company may be held liable for breaking laws in other jurisdictions if you have consumer data originating from residents of other jurisdictions. You’ll need to consider both consumer and client data protective measures to ensure compliance.

Develop Procedures To Reduce Incidents

As a part of the services we offer, our attorneys will help you develop specific procedures you can integrate into your company’s policies and risk management plans. Industries have different requirements. For example, the healthcare industry faces different incident response requirements than those that provide financial services. We’ll help you custom-design policies to reduce the risks associated with cyber threats and data privacy issues in your industry sector. We can also assist in establishing customized cybersecurity and data privacy training.

Pursue Legal Actions Against Hackers

Our attorneys are prepared to conduct full investigations of cybersecurity incidents and pursue legal actions against the hackers responsible.

Schedule a Consultation To Discuss Cybersecurity Today

We focus on helping our clients develop actionable solutions before and after problems arise. Since no system is ever 100% secure, cyberattacks and security breaches can occur despite intensive efforts to avoid them. When they do occur, companies need a coordinated and effective response. 

Our experience in multi-disciplinary crisis management allows us to advise our clients on handling emergent situations as effectively and efficiently as possible, and with minimal impact on processes and operations. Contact our experienced cybersecurity and data privacy attorneys at 757-446-8600 or send us a message and let us know how we can help.

Articles
Department of Justice Announces New Civil Cyber-Fraud Initiative – What This Means for Federal Contractors
Jonathan Gallo
Recently, Deputy Attorney General Lisa O. Monaco announced the Department of Justice’s new Civil Cyber-Fraud Initiative, aimed at combatting “new and emerging cyber threats to the security of sensitive information and critical systems.”  The Initiative will be led by the Department’s Civil Division Commercial Litigation Branch, Fraud Section, and is ...
Read More
Cybersecurity Maturity Model Certification (CMMC) 2.0 – What Federal Contractors Need To Know
Jonathan Gallo
On November 4, 2021, the Department of Defense (DoD) issued an Advanced Notice of Proposed Rulemaking by releasing the latest and highly anticipated iteration of the CMMC program – CMMC 2.0.  According to the DoD, the streamlined version of CMMC 2.0: Cuts red tape for small and medium-sized businesses Sets ...
Read More
Prioritizing Cybersecurity in a Hybrid Workplace
Jonathan V. Gallo
In this day and age, employees are more connected than ever. The hybrid workplace is here to stay, and for employees, this means relying on connected devices from their home offices. According to recent data,[1] smart home systems are set to rise to a market value of $157 billion by ...
Read More
Webinar
Virginia’s New Data Privacy Law

This video discusses the Consumer Data Protection Act, Virginia’s New Data Privacy Law, entity exclusions, businesses’ responsibilities, rights of consumers, and enforcement.

News
Vandeventer Black LLP hires Cybersecurity Attorney
Gallo, Jonathan V.
Vandeventer Black is pleased to announce the addition of Jonathan V. Gallo to the firm’s Cybersecurity and Data Privacy Group. Gallo will concentrate his practice primarily in cybersecurity, information privacy/security, software licensing, and government contracting. “We are excited to welcome Jonathan to our firm,” said Michael L. Sterling, Managing Partner ...
Read More

We have the legal resources and specialized knowledge that you need.

Contact Us
Upcoming Events
Stay Connected
0
    0
    Your Cart
    Your cart is empty