Corporations face unprecedented challenges in safeguarding sensitive data and mitigating privacy risks in an era marked by the rapid proliferation of Internet of Things, or IoT, devices.

Recent developments, including federal and state regulators’ heightened focus on privacy enforcement, highlight the importance of proactive risk management, compliance and data governance. As IoT and smart devices continue to hit the marketplace, heightened scrutiny for businesses’ data governance practices follows.

The Federal Trade Commission’s recent technology blog, “Cars & Consumer Data: On Unlawful Collection & Use”[1] underscores the agency’s commitment to enforcing consumer protection laws. Despite their blog’s focus on the car industry, the FTC’s message extends to all businesses, emphasizing its vigilance against illegal — or “unfair and deceptive” — collection, use and disclosure of personal data.

Recent enforcement actions are a stark reminder of the FTC’s proactive stance in safeguarding consumer privacy.

Geolocation data is a prime example of sensitive information subject to enhanced protections under the Federal Trade Commission Act. Much like mobile phones, cars can reveal consumers’ persistent, precise locations, making them susceptible to privacy infringements.Continue Reading Careful Data Governance Is a Must Amid Enforcement Focus

On August 2, 2024, Illinois Governor J. B. Pritzker signed legislation reforming Illinois’ Biometric Information Privacy Act (BIPA). Senate Bill 2979 immediately amends BIPA to limit a private entities’ potential liability for collecting or sharing biometric data without consent.

The BIPA amendment followed a call for action  directed at the legislature from the Illinois courts.

This post was originally published to Seyfarth’s Global Privacy Watch blog.

On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by

At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing

Introduction

While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022

On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here.  The memo comes on the heels of increased  regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.

The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment.  The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).

The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied].
Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment

As the global pandemic begins to show signs of waning, cyber risk is showing no such easing.  In fact, in a recent survey, over 68% of business leaders reported believing that their cybersecurity risks are increasing, despite their own mitigation strategies. Organizations in this coming year will continue to face a constantly evolving threat landscape

This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone.
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat