This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone. Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat

Seyfarth Synopsis:  The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney.  Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived.  Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion

A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States.   Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs.  The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors.  This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm.  Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.

It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021.  Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed.  The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.

Under normal circumstances, when the unemployment claim is filed, the agency will send  timely notice to the employer to provide the opportunity to protest the claim.  Typically the employer has ten days to protest.  However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days.  Consequently, employers are receiving the protest notices after the time has expired to protest the claim.  Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits.  By then, however, the benefits usually have been paid to an account the criminals control.  Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice. Continue Reading COVID-19 Unemployment Benefits Scams Continue Well Into the Pandemic

Business executives face the challenge of improving their company’s cybersecurity posture while balancing costs. The consequences of a cyberattack – including lost revenue, customers, diminished reputation and credibility, or even total shut down – force executives to prioritize cybersecurity within their budgets and strategize how to best allocate their limited resources. How should business executives prioritize improving their cybersecurity postures in the most cost-effective way?

Join us for this web event where Joe Rooney of BDO will moderate a discussion between Ric Opal of BDO Digital and Scott Carlson of Seyfarth Shaw to share what cybersecurity strategies and industry trends they are seeing in the market from an executive perspective. Azure Security Center addresses the three most urgent security challenges:

We’ll look at:

  • Trending cybersecurity legal risks that businesses are facing – including breach prevention, incident response, employee training, and resulting litigation
  • What businesses are doing to successfully implement a cybersecurity strategy
  • If you do nothing else, do these three things to protect your organization, data, and people

Speakers

Scott Carlson, Partner, Seyfarth Shaw LLP
Ric Opal, Principal, BDO Digital, LLC

Moderator

Joe Rooney, Business Development, BDO USA, LLP

California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really? Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)

From court closures and the way judges conduct appearances and trials to the expected wave of lawsuits across a multitude of areas and industries, the COVID-19 outbreak is having a notable impact in the litigation space—and is expected to for quite some time.

To help navigate the litigation landscape, we are kicking off a webinar series that will take a look at what’s happening now and what to expect in terms of litigation practice and litigation trends in the months to come. The initial webinars detailed below will be supplemented by topic-specific programs that will take a deeper dive into the respective topics. Feel free to attend one or all, and please invite your colleagues.

Court Is “In Session”: The Post-Pandemic Courthouse

In the first installment of our Post-Pandemic Litigation Webinar Series, Seyfarth litigators from a variety of legal disciplines will examine the virtual courthouse in a post-pandemic world. Specifically, our presenters will address:

  • What is going on in courts across the country, and how/when are they rescheduling
  • How will state, federal, and bankruptcy courts run post-pandemic
  • Will we be able to have jury trials
  • How long this “new normal” is expected to last
  • Necessary tools needed to adapt and keep your cases moving forward
Moderator:

Scott Carlson, Partner, Seyfarth Shaw

Speakers:

Suzanna Bonham, Partner, Seyfarth Shaw
Gina Ferrari, Partner, Seyfarth Shaw
William Hanlon, Partner, Seyfarth Shaw
Scott Humphrey, Partner, Seyfarth Shaw

Tuesday, July 14, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Colleen Vest at cvest@seyfarth.com and reference this event.

New Era, New Litigation: Lawsuits You Can Expect in the Post-Pandemic Environment

During the second installment of our Post-Pandemic Litigation Webinar Series, our panel will provide high-level insights on what companies of all sizes can expect in terms of litigation as a result of COVID-19. Specifically, our presenters will address the high-level trends we are observing in the following areas:

  • Bankruptcy and Financial Services
  • Class Actions and TCPA
  • Commercial Litigation
  • Construction and Real Estate Litigation
  • Health Care, Life Sciences, and Pharmaceutical
  • Securities Litigation
  • Trade Secrets and Cybersecurity/Privacy
Moderator:

James McGrath, Partner, Seyfarth Shaw

Speakers:

Kristine Argentine, Partner, Seyfarth Shaw
Jesse Coleman, Partner, Seyfarth Shaw
Tonya Esposito, Partner, Seyfarth Shaw
Richard Lutkus, Partner, Seyfarth Shaw
Kate Schumacher, Partner, Seyfarth Shaw
Rebecca Woods, Partner, Seyfarth Shaw

Wednesday, July 22, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Danielle Freeman at dfreeman@seyfarth.com and reference this event.

Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date. Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.) announced on Friday, May 1, a bill proposing the enactment of the “COVID-19 Consumer Data Protection Act,” which would apply to American health, geolocation, and proximity information.

This comes as various tech giants rush to develop an opt-in functionality or application that would allow users to trace their whereabouts to determine potential exposure to the deadly virus. The proposed Act aims to heighten protection for Americans’ data by imposing requirements on businesses similar to those seen in the CCPA and GDPR, such as providing notice to consumers at the point of collection regarding how data will be handled, how long it will be maintained, and to whom it may be transferred. Businesses would also need to allow consumers to opt out of the collection, processing, or transfer of applicable data under the Act. Further, businesses regulated by the FTC would be required to obtain affirmative consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for purposes of tracking the spread of COVID-19. We also see the concepts of data de-identification, data minimization, data security requirements, which all similarly sound very familiar.

While this proposed legislation applies only to health, proximity, and geolocation data, the burning question becomes whether, if enacted, this Act will pave the path toward Federal US Privacy Legislation.

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA. While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts Attorney General Becerra has already produced.

Multiple Notice Requirements

The CCPA introduces a number of requirements with regards to consumer notice. The CCPA expressly introduces the concept of “layered notices.” This means passive notice requirements in the form of a privacy policy are not all that is required. There are also affirmative notice requirements at different points of a business-consumer relationship – not the least of which is at the point the business collects consumer data.

The CCPA Regulation imposes requirements for notice under sections 999.304, 999.305, and 999.308.  Section 304 lays out a roadmap for the types of notices required under the CCPA.  It states that a business required to comply with the CCPA must have a privacy policy. It imposes the requirement of a notice at the point a business collects personal information from a consumer. It also requires that a business provide a notice of a California consumer’s right to opt out if a business is selling the consumer’s personal data. Finally, under section 999.304, a business must also notify a consumer if it is offering a financial incentive or price differential for the disclosure of personal information. What isn’t clear around all of these notices is “where do they go?”

The CCPA makes abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable, and accessible.

Specific Content Requirements

Throughout the multiple rounds of revisions, certain aspects of the Attorney General Regulations have remained largely untouched. It is therefore reasonable to rely on the following provisions being consistently incorporated into the final version of the Regulations. Accordingly, those preparing for CCPA enforcement beginning July 1, might start by ensuring the following:

  • Any notice or privacy policy provided to consumers:
    • avoids legal jargon and technical language, and is instead prepared in plain, easy-to understand language (don’t just reproduce the statutory language for categories of data collected);
    • is prepared in a format that readable, taking into account the types of devices from which a reader may access (think mobile v. laptop or tablet);
    • is available in the languages consistent with the contracts, disclaimers, announcements, etc. that the company provides in the ordinary course of business;
    • is accessible to those with disabilities.
  • The business’ privacy policy should also generally outline the consumer’s right to know about information collected, disclosed, or sold; their right to request deletion, right to opt out of the sale of personal information, and right to non-discrimination; it should include contact information for questions or concerns, and the date last modified.

Specific Process Requirements

With all the notice requirements come requirements to have processes and procedures in place to actually fulfill the obligations set out in the notices. To that end, the CCPA regulations have been consistent across all three drafts with the need for the following:

  • The business’ privacy policy is conspicuously posted on its website, or otherwise obviously available to consumers;
  • California consumer personal information is not utilized beyond the means initially disclosed at collection;
  • Collection does not happen unless a consumer has been notified;
  • No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice has to include all those other notice provisions noted above);
  • Mechanisms for handling consumer requests are in place:
    • Consumers are provided with two or more methods for submitting requests to delete and opt out;
    • Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting such requests;
    • Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days;
    • Businesses should ensure that they’re able to verify consumer identity open receipt of a request to know or delete;
    • Development of a two step-process for requests to opt into the sale of personal information.
  • Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and Regulations;
  • Record retention schedules and policies are updated to account for consumer records requests; and
  • The business has reasonable security measures in place to transmit personal information.

What we Aren’t Sure About

While we do have some insight as to the content of the final regulations, we still have to note that a number of important elements are not yet stable. The components of notice at collection seem to be slightly in flux. Where each notice might be presented (can you combine notices?) is also unclear. The Opt-Out Right also seems to be changing. This is mostly a function of what defines a “sale” and whether there will be exceptions to the currently absolute Opt-Out Right. The same is the case with the notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.

Conclusion

Following two rounds of revisions, we more than ever have an understanding of what will be required of businesses under the CCPA Regulations.  Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, thus making those elements a reliable place to start in terms of CCPA compliance.  Attorney General Becerra has no intention at this time to defer the July 1, 2020 enforcement date, so time is of the essence for currently non-compliant businesses.

In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work.  After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues.  As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”

Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:

  1. Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
  2. “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
  3. Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
  4. Remote employee use of unauthorized external or cloud-based storage for company data.
  5. Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
  6. Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
  7. Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
  8. Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
  9. Employees using unauthorized, unsecured, commercial collaboration tools.
  10. Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
  11. Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
  12. Terminated employees subject to a litigation hold notice.

Continue Reading COVID-19 Remote Workforce Risks – Preservation, Compliance, Privacy, and Data Security Risks