Cybersecurity and Data Privacy

Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in ConnecticutContinue Reading Preserving Forensic Artifacts Following Incident Detection

Dear Mary,

We were recently impacted by a vendor incident, and the vendor is offering to provide notice to the impacted individuals on our behalf. That sounds like great news to us, but is this something we can and should consider?

– Potentially Optimistic in MiamiContinue Reading Can Vendors Notify Affected Individuals on Behalf of Businesses After a Data Breach?

California Attorney General (AG) Rob Bonta and Los Angeles City Attorney Hyde Feldstein Soto recently settled a lawsuit with Tilting Point Media, LLC (Tilting Point) related to a SpongeBob Square Pants-themed app. In the complaint, Tilting Point is accused of collecting, using, and sharing the personal information of children in violation of the Children’s Online Privacy Protection Act (COPPA).Continue Reading California Regulators Settle With Kids Gaming App

Dear Mary,

One of our critical service providers recently suffered a cyberattack. It’s all over the news, and our business operations are severely impacted. We’re losing money every day, and we have no idea how long this will last. Do you have any suggestions on what to do? The lack of information from our service provider is incredibly frustrating.

– Frustrated in DallasContinue Reading How to Respond When Your Service Provider Suffers a Cyberattack

Dear Mary,

We received a data request from Health and Human Services, Office for Civil Rights, today. It was in connection with a data security incident that happened almost a year ago. Is this normal? Should this impact how we respond?

– Not Forgotten in New Orleans

Continue Reading Understanding Regulatory Response Times Following a Cybersecurity Incident

Dear Mary,

We had a security incident a few weeks backs that luckily turned out to be nothing. I’ll tell you, tension was high around here while the investigation was ongoing because there was a possibility that it was going to be bad. The forensic firm (hired by our outside counsel) figured out that the incident resulted from a misconfiguration in our MFA. We fixed that and now I’m wondering whether we really need a forensic report given the limited impact. I am not sure I understand the need.

– Uncertain in AtlantaContinue Reading Does Every Incident Require a Forensic Report?

Dear Mary,

I work in the IT department of a mid-sized company that recently detected a security incident. Everyone is freaking out – minus me. My manager asked our IT team to investigate the incident. But the incident is already contained, and business is back to normal. Why do we need to investigate further? Like seriously, why? And if we do need to investigate further, should I be doing this? I’ve been in IT for a while, and I have never been in this situation before.

– Forensic Forgoer in FloridaContinue Reading Should Companies Conduct Their Own Forensic Investigations?

We are pleased to introduce ‘Dear Mary,’ a new advice column from Troutman Pepper’s Incidents + Investigations team. This column will answer questions about anything and everything cyber-related — data breaches, forensic investigations, responding to regulators, and much more. ‘Dear Mary’ goes beyond the articles, podcasts, webinars, and other content we produce, as we are responding directly to your questions with concise, practical answers. ‘Dear Mary’ can be found here on the firm website, and direct links can be found on our Privacy + Cyber related blogs and newsletters.Continue Reading Troutman Pepper Launches ‘Dear Mary’ Advice Column

On May 8, attorneys general (AG) from 14 states and the District of Columbia sent a letter to Congressional leadership opposing provisions of the recently proposed federal American Privacy Rights Act (APRA). In addition to the District of Columbia, the signatory states include California, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont. Their objections primarily center on the APRA’s preemption clause, which would nullify 16 state comprehensive data privacy laws that have been enacted since 2018.Continue Reading State AG Coalition Opposes Current Federal Privacy Legislation

This article was originally published in American City & County on March 1, 2024.

For years, private companies have struggled to protect the data of consumers against security incidents and cyber-attacks by malicious threat actors. More recently, there has been a growing surge of data breaches impacting the public sector, and local governments face unique challenges in responding to such incidents.Continue Reading Unique Aspects of Data Incident Response in Local Government