At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing
On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”
“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson…
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.
According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule.
Continue Reading President Biden Signs Bill Mandating Cyber Reporting for Critical Infrastructure Entities
While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022
On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here. The memo comes on the heels of increased regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.
The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment. The memo notes:
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).
The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied].
Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments
On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment…
Seyfarth Synopsis: On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks…
As the global pandemic begins to show signs of waning, cyber risk is showing no such easing. In fact, in a recent survey, over 68% of business leaders reported believing that their cybersecurity risks are increasing, despite their own mitigation strategies. Organizations in this coming year will continue to face a constantly evolving threat landscape…
This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software. Since then, vulnerability has been independently verified and confirmed by Microsoft. It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021. Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.
While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.
Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation. Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable. The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016. The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc. Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.
The seriousness of the issue is difficult to understate. Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use. A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone. …
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat
Seyfarth Synopsis: The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney. Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived. …
Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion