On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here.  The memo comes on the heels of increased  regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.

The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment.  The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).

The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied]. Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments

This post has been cross-posted from Seyfarth’s Consumer Class Defense Blog.

Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party. Continue Reading First There Was Litigation; And Then There Was Standing

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment for its second draft released on April 29, 2021, data compliance is becoming increasingly important and complicated for companies operating business in China or with data originating from China.

Background

Before the enactment of the Cybersecurity Law in 2016, China didn’t have any dedicated national legislation on data security, and the duty of protecting data was mainly left to companies that collect and/or use data to implement voluntary protection schemes. The 2016 Cybersecurity Law encompassed the issue of cyber data management and security, but other types of data remain unregulated. The Data Security Law filled up the gap by addressing all types of data (including both electronic and non-electronic data) and covering the full cycle of data activities.

Scope of governance

Under the 2016 Cybersecurity Law, all the network owners, managers, and service providers (the “Network Operators”) are required to implement measures to safeguard network security and integrity, and ensure contents published on the network are legal and appropriate. Although technically speaking every enterprise providing services or operating business through a computer network would fall within the definition of Network Operator, based on the reported enforcement cases since 2017, website and mobile application operators were the primary targets of the crackdowns.

By contrast, the Data Security Law has a much wider jurisdiction. Firstly, unlike the 2016 Cybersecurity Law, which only governs cyber data, the scope of Data Security Law also covers non-electronic data. Secondly, although both laws imposed long-arm jurisdiction over illegal overseas activities, the sanctions under the 2016 Cybersecurity Law are limited to exportation of personal and core data originated from China, importation of illegal data from overseas, and activities severely undermining China’s core information infrastructure facilities, whereas any overseas data processing activity that jeopardizes China’s national security, public interest, or lawful rights of any person or entities are considered illegal under the Data Security Law. Obviously, the Data Security Law is taking a catch-all approach to provide a very broad grounds for future legal enforcement.

Points to note

Data classification system

From the fact that the term “national security” is mentioned 14 times in a law comprised of only 55 provisions, it is quite clear that enhancement of national security is a very big driver behind the promulgation of the Data Security Law, if not the most important one. Pursuant to the Data Security Law, the Chinese government will for the first time establish a centralized classification system by the level of importance of the data. Data that are pertinent to national security, national economy, social welfare, and important public interests will be regarded as core data, and will be subject to stricter scrutiny. In the near future, the Chinese government will publish national, regional, and departmental catalogues with classification guidance for the ease of reinforcing supervision on core data processing activities.

Data security monitoring system

As required by the Data Security Law, all data processors will be required to establish a data security policy and risk monitoring system. Processors of core data are required to report their data protection practice to the government on periodic basis, and processors of non-core data are required to report to the government in event of security failure. Companies who fail to protect their data and cause large scale data leakage may face a fine of up to RMB2 million and risk suspension or closure of business. If the violation concerns core data in jeopardy of China’s national interests, the fine may be up to RMB10 million.

Data exportation

The exportation of core cyber data will continue to be governed by the 2016 Cybersecurity Law, whereas China will introduce the new regime regarding exportation of other data. One of the most notable implications on such data exportation restriction is its counteracting effect against the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) promulgated by former US President Donald Trump in 2018. The CLOUD Act enables US law enforcement agencies to demand access to electronic data no matter which country the data is stored in. However, under the 2016 Cybersecurity Law, exportation of personal data and important data stored in core information infrastructure facilities in China are subject to safety review. This measure has been endorsed by the Data Security Law, which further provides that companies who failed to comply with this requirement may be fined up to RMB10 million and risk suspension or closure of business. The Data Security Law also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development related investment or trade adopted by foreign countries or regions.

Observation

So far, the Data Security Law has only set out a skeleton for the governance of data. The meaning of some important concepts remain unclear. For instance, the concept of “public interests” in the Data Security Law is widely used across various Chinese legislations, but there is neither specific definition for it within the Data Security Law itself, nor has the legislator published any guidance providing clarification. Further, it is unclear which governmental authority should be responsible for enforcement. Based on the latest enforcement case report, a large-scale violation of citizens’ information privacy by certain Chinese local companies operating mobile phone apps was sanctioned by a joint group consisting of The Public Security Bureau,  Cyberspace Administration  Office, and Communication Administration Bureau for “jeopardizing public interests.”  However, it is worth noting that the concept of “public interest” is going to be a bit different in the US than in China. Generally speaking, public interest in the US is limited to activities like public health (think pandemic response) or rule of law (think law enforcement). This is a much narrower concept than in other places in the world. As such, it will be prudent to see what the Chinese officials do with their approach to defining “public interest.”

While waiting for further implementation rules, enterprises with data originated from China should start assessing their exposure to risk of data leaks, unauthorized data exportation, and other violations in this new compliance environment, and seek professional advice.

This post was originally posted on The Global Privacy Watch blog.

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor,” the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.

The two sets of SCCs are (i) for use between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Both can be used as of 27 June 2021. Note that the effect of Brexit has added

What are the key takeaways?

  • There are now approved SCCs for intra-EU agreements under Article 28. As a consequence, there is now a “safe harbor” to ensure all of an entity’s processor (Article 28) agreements are compliant. This did not exist previously.
  • The SCCs have a ‘modular approach’, enabling multiple parties to join and use them. Additionally, now there will now only be a need for one agreement addressing both Article 28 and Article 46 requirements. Until the new SCCs came out, there was a need for a different agreement for each of the two Articles.
  • The SCCs account for the Schrems II decision, which in 2020 considered the validity of the previous SCCs in relation to international transfers. The SCCs outline the steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. encryption, pseudonyms).
  • As part of the Schrems II consideration, both data exporters and importers must warrant that they have carried out a local law assessment (i.e. relating to the jurisdiction that will receive the data) and that they have no reason to believe that local laws/practices would prevent the importer from complying with its obligations under the SCCs.
  • There is an 18 month transition period for controllers and processors to update the current SCCs in their contracts, intra-group transfer agreements etc. This is a welcome improvement on the 12 month period suggested in the November drafts. The previous SCCs can still be included in new contracts until 27 September 2021, but these contracts will then need to be updated within the transition period.

Practical Implications

The new SCCs have made some significant changes in how to implement, and how hard it is to implement, the clauses. The previous SCCs were fairly simple to implement – you just filled out the blanks in the appropriate form (i.e. controller-to-controller, or controller-to-processor) and you were done. The new SCCs are not as easy an exercise. While the original data flows under the original SCCs are still present, the new SCCs recognize that services businesses in the EU shouldn’t be left out of the thinking of the SCCs. And considering the processor in the EU working with foreign (e.g. US) data shouldn’t impose the GDPR on exclusively non-EU data, we now have “processor to sub-processor” and “processor to controller” modules.

In addition to the various modules, there are embedded “options” in the various modules as well (e.g. Clause 13). This is a significantly new format, and one which will require legal counsel to determine which module to use.

Along with the counsel needed to figure out just which modules and options to use in the SCCs, the Schrems II considerations also now demand a much higher level of legal work as part of the execution of the SCCs. Now, parties have to undertake a legal evaluation of whether or not there are local law issues which might make the enforcement of the SCCs provisions (including enforcement by 3d party beneficiaries) problematic. This evaluation has to be documented, and this documentation has to be in a form that is available to a supervisory authority should they request it. This means the documentation can’t be hidden away under attorney-client confidentiality rules. It will need to be available to a public authority.

There are a number of other tactical changes, some of which are welcome (e.g. how to deal with general authorizations of sub-processors) and some of which are less so (e.g. having to identify a specific supervisory authority where the importer doesn’t have an EU Representative). However, these will have significantly less of a “cost to implement” than the new structural and analytical requirements.

How does this affect transfers with the UK?

The SCCs are not applicable to the UK GDPR. However, the UK’s Information Commissioner’s Office (“ICO”) has said it will consider recognizing the SCCs as a valid transfer mechanism under the UK GDPR. In any event, the ICO is planning to propose, and consult on, bespoke UK SCCs for international transfers later this year. That being said, it is possible that the recognition of EU SCCs will be a contingency on the UK retaining its adequacy decision, which is currently under scrutiny. Also, the ICO has already adopted the use of the prior SCCs as part of the Brexit package. It would follow that the UK would have some sort of recognition of the EU SCCs, even in light of the UK’s promulgating their own. This is similar to the way the Swiss and the EU have managed interoperability between each of their own SCCs.

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut down pieces of the nation’s critical infrastructure causing gasoline shortages in certain parts of the country.

By “force of law” the EO applies only to the federal government and federal government systems. By extension, the EO applies, or will apply, to thousands of government contractors and subcontractors that provide IT goods and services (e.g., software) to the US government. Notably, many of the cybersecurity provisions have yet to be written and many will have to go through a drafting and comment period. Other of the provisions may look “new” but have actually been around for a while (like multi-factor authentication and end-point solutions).

The order does not touch on every aspect of US business, like critical infrastructure, but it is a wonderfully good start as it sets forth certain policies and procedures that every business must (if you are a government contractor) or at least should consider enacting. The clear implication of the EO is that the government, IT contractors and providers, and the private sector can no longer wait around for the next shoe to drop. The time for action is now.

So despite being aspirational (at least for today and for some time in the future), the EO makes probably its most important point in its opening statement (Section 1. “Policy”): “We are all in this together.” Indeed the EO opens by noting:

“(C)ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Let’s examine below certain pieces of the EO as it applies both to the federal government and government IT contractors and providers. The private sector should note that, similar to other “standards” like the NIST Cybersecurity Framework (issued under the Obama Administration in February 2014), to the extent it doesn’t follow the guidance and the policies in the EO, they might fall squarely in the headlights of plaintiffs’ class action counsel who may say, if it was in the EO, why didn’t you follow the same guidance.

Removing Barriers to Sharing Threat Information

Given their position in providing IT goods and services to the government, the EO notes that the IT providers are in a very good position to know better than the government the threat landscape and incident information that affect the federal systems they serve. But by contract, the IT provider might be precluded from sharing that information with the government.

In response, the EO pledges that within 120 days, amendments to the contractual language already in use by the federal government is to be recommended to ensure that information pertaining to cyber threat intelligence as well as cyber incident response information can be shared promptly, ideally within three days (a three-day period is already in place under certain federal, state and EU guidelines). The EO is clear on this point: information sharing is one of its highest priorities.

Modernizing Federal Government Cybersecurity

Another high priority of the Biden Administration is the modernization of the federal government cybersecurity architecture (see Section Three of the EO):

“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

What does this mean at the end of the day?

  • Recognizing that the Cloud is likely the future of data storage for the majority of the US Government, yet the cloud has its own set of unique risks and thus needs its own security and incident response strategy;
  • That the government will move towards a recognized system of identity and access management, including mandatory multi-factor authentication; and that
  • The government will adopt encryption of data at rest and in transit.

Enhancing Software Supply Chain Security

This section clearly relates to the government’s previous responses to the SolarWinds cybersecurity attack in December 2020. Here, the EO calls upon the National Institute of Standards and Technology to produce guidelines for enhancing the software supply chain security. This guidance shall include standards, procedures or criteria regarding:

  • secure software development environments, including such actions as:
    • using administratively separate build environments;
    • auditing trust relationships;
    • establishing multi-factor, risk-based authentication and conditional access across the enterprise;
    • documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
    • employing encryption for data; and
    • monitoring operations and alerts and responding to attempted and actual cyber incidents;
  • generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i);
  • employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
  • employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.

Improving Detection of Cybersecurity Vulnerabilities and Incidents

Finally, like is more common already in the private sector, the EO urges the adoption of endpoint detection and response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. The hope is that such initiatives will support a “playbook” that would better demonstrate the EO’s mandate to provide a better level of incident response and remediation capabilities throughout all levels and departments of the levels of government.

The above is just a partial list of initiatives that the Biden Administration has put forth in the EO. There are indeed other initiatives that bear close examination like the NIST Cybersecurity Framework, and there are other technologies, like machine learning anomaly detection devices that also can potentially make the federal government more “cyber safe.” But, the most important part of the EO is that now “there is a plan.” A plan that will be reviewed by experts like the NIST, and thereafter refined and put into place. And with all good fortune that plan will spread like wildfire across the whole private sector as well. Then all parts of government and industry will likely be more cyber safe.

As the global pandemic begins to show signs of waning, cyber risk is showing no such easing.  In fact, in a recent survey, over 68% of business leaders reported believing that their cybersecurity risks are increasing, despite their own mitigation strategies. Organizations in this coming year will continue to face a constantly evolving threat landscape and increasing threat actor sophistication. Catastrophic supply-chain breaches in 2020 have made organizations begin rethinking what devices, software, and hardware is trustworthy in their environments. While nation-state actors with significant resources appear to have carried out the recent major supply chain attack(s), even “script kiddie” threat actors are expanding their capabilities and improving their techniques. Several trends are on the horizon for this next year.  They are as follows:

Ransomware Is Evolving to Data Exfiltration and Extortion

Historically, ransomware focused on infiltrating organization endpoints and locking the organization out of their own data. While temporarily paralytic, organizations generally made it through those events by either paying the ransom, or recovering their data from disaster recovery or backup media. Tactics have changed for many ransomware threat actors, however, and now many seek to exfiltrate data in addition to deploying ransomware. They do this so that if an organization fails to pay the ransom amount, then they can fall back on the exfiltrated data to extort the organization. If the organization still fails to pay the new extortion ransom, the data is then leaked, usually on the Dark Web. In the first instance, effective incident management with experienced professionals is critical to managing your way through the incident. In the event of disclosure of data, there are also many issues that arise including potential disclosure of attorney-client communication, work product, trade secrets, and PHI/PII. Our prior blog post covers this specific situation in more detail.

Email Compromise Events Will Rise Along with Wire Fraud

Incidents involving threat actors gaining access to organizational email accounts will continue to rise in 2021. This increase can be attributed to password re-use, credential harvesting attacks, data leaks following a breach or extortion event, malware, phishing, smishing, etc. Motivation for these attacks typically involve obtaining information that can be used to facilitate other types of attack. Threat actors steal signature lines, email recipient metadata, prior dealing information, and payment information. This allows a threat actor to set up convincing-looking emails/invoices to perpetrate bank fraud. This comes in the form of requesting a fake invoice be paid or bank information changed. Unfortunately, this person-in-the-middle type attack often goes undetected by the legitimate employees involved. In 2021, organizations should focus on employee training to increase awareness, sophistication, and “cyber-suspicion” of their employees. Organizations will benefit from taking a closer look at their email system logging to ensure that requisite logs are available to conduct investigations following a business email compromise.

To review Seyfarth’s full 2021 Commercial Litigation Outlook, click here.

You may also register for Seyfarth’s webinar regarding Post-Pandemic Trends and Emerging Challenges in 2021 here

This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone. Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat

Seyfarth Synopsis:  The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney.  Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived.  Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion

A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States.   Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs.  The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors.  This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm.  Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.

It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021.  Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed.  The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.

Under normal circumstances, when the unemployment claim is filed, the agency will send  timely notice to the employer to provide the opportunity to protest the claim.  Typically the employer has ten days to protest.  However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days.  Consequently, employers are receiving the protest notices after the time has expired to protest the claim.  Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits.  By then, however, the benefits usually have been paid to an account the criminals control.  Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice. Continue Reading COVID-19 Unemployment Benefits Scams Continue Well Into the Pandemic

Business executives face the challenge of improving their company’s cybersecurity posture while balancing costs. The consequences of a cyberattack – including lost revenue, customers, diminished reputation and credibility, or even total shut down – force executives to prioritize cybersecurity within their budgets and strategize how to best allocate their limited resources. How should business executives prioritize improving their cybersecurity postures in the most cost-effective way?

Join us for this web event where Joe Rooney of BDO will moderate a discussion between Ric Opal of BDO Digital and Scott Carlson of Seyfarth Shaw to share what cybersecurity strategies and industry trends they are seeing in the market from an executive perspective. Azure Security Center addresses the three most urgent security challenges:

We’ll look at:

  • Trending cybersecurity legal risks that businesses are facing – including breach prevention, incident response, employee training, and resulting litigation
  • What businesses are doing to successfully implement a cybersecurity strategy
  • If you do nothing else, do these three things to protect your organization, data, and people

Speakers

Scott Carlson, Partner, Seyfarth Shaw LLP
Ric Opal, Principal, BDO Digital, LLC

Moderator

Joe Rooney, Business Development, BDO USA, LLP