At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing
While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022
On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here. The memo comes on the heels of increased regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.
The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment. The memo notes:
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).
The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:
Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied].
Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments
On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment…
As the global pandemic begins to show signs of waning, cyber risk is showing no such easing. In fact, in a recent survey, over 68% of business leaders reported believing that their cybersecurity risks are increasing, despite their own mitigation strategies. Organizations in this coming year will continue to face a constantly evolving threat landscape…
This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software. Since then, vulnerability has been independently verified and confirmed by Microsoft. It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021. Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.
While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.
Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation. Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable. The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016. The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc. Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.
The seriousness of the issue is difficult to understate. Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use. A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone. …
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat
Seyfarth Synopsis: The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney. Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived. …
Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion
A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States. Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs. The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors. This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm. Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.
It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021. Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed. The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.
Under normal circumstances, when the unemployment claim is filed, the agency will send timely notice to the employer to provide the opportunity to protest the claim. Typically the employer has ten days to protest. However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days. Consequently, employers are receiving the protest notices after the time has expired to protest the claim. Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits. By then, however, the benefits usually have been paid to an account the criminals control. Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice. …
Continue Reading COVID-19 Unemployment Benefits Scams Continue Well Into the Pandemic
In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work. After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues. As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”
Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:
- Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
- “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
- Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
- Remote employee use of unauthorized external or cloud-based storage for company data.
- Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
- Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
- Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
- Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
- Employees using unauthorized, unsecured, commercial collaboration tools.
- Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
- Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
- Terminated employees subject to a litigation hold notice.
This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures. There is a section in the bulletin discussing whether victims should consider paying ransom to attackers. According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.
Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list). However, several others are more specific. All of the measures listed should be considered as parts of a comprehensive standard information security program.
Among the list of the FBI’s “Cyber Defense Best Practices” recommended are:…
Continue Reading FBI Public Service Announcement on Ransomware