By Jennifer Archie and Alex Stout

Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.

Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern:  the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.

These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath.

The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets.  Among the specific requirements are periodic testing, annual systems review and disclosure of “SCI events” – including both functional and security issues.  In addition to security issues,

By Kevin Boyle & Alex Stout

heartbleed.pngHardly a day passes now without some new report of a security vulnerability with inevitable breaches that follow, but Monday’s news about the two-year old vulnerability in OpenSSL is (or should be) catching everyone’s attention.  The problem is a coding error in a widely used cryptographic software library for implementing secure connections between a website (or web interface on a hardware device) and its user (typically indicated by a reassuring padlock in the status

By Omar Elsayed

Although some surveys of privacy law suggest otherwise, privacy requirements do in fact exist in the Kingdom of Saudi Arabia (KSA)and are very relevant to companies operating there or seeking to provide services to customers in KSA.

Background

The paramount body of law in KSA is the Sharīʿah. The Sharīʿah is comprised of a collection of fundamental principles derived from a number of different sources, which include the Holy Qu’ran and the Sunnah, which are

Thumbnail image for iStock_Lock.jpgThe American Institute of Certified Public Accountants (“AICPA”) Statement of Auditing Standard No. 70, or SAS 70 as it is more commonly known, has been with us since April 1992. On 15 June 2011, it will effectively be replaced by two new standards: (i) a reporting standard for service organisations, the “Statement on Standards for Attestation Engagements No. 16” (or SSAE 16 as it will no doubt be referred to); and (ii) an audit standard for customers of

Thumbnail image for iStock_000005643842XSmall.jpgGoogle has consented to the entry of a proposed Agreement Containing Consent Order with the US Federal Trade Commission, subjecting the company to sweeping government oversight of its privacy disclosure and product development and release practices, nominally arising out of the roll-out of its Buzz product in February 2010. The auditing and reporting requirements are staggering in scope, breadth and duration, reaching Google’s entire business, not merely online communication products such as Gmail. One interpretation of the (rather amazing) document

On October 28, 2010, the Payment Card Industry Data Security Standard (PCI DSS) 2.0 was released. There are no new requirements, mostly the PCI Security Standard Council (“Council”) made wording clarifications throughout the 12 existing requirements.

These changes go into effect January 1, 2011, but merchants don’t have to be compliant with them until December 31, 2011. The next major update is expected to be in 2013.

Here are a few significant highlights of what the PCI DSS 2.0 has

Illinois recently enacted the Employee Credit Privacy Act (“ECPA” or the “Act”), which prohibits employers from recruiting and hiring applicants based on such individuals’ credit histories or credit reports. The Act, which was adopted on August 11, 2010 and will take effect on January 1, 2011, generally prohibits employers from inquiring about an applicant’s or employee’s credit history or ordering or obtaining an applicant’s or employee’s credit report from a consumer reporting agency. The Act also prohibits an employer from