- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
- The Framework of a Tort-Claim Safe Harbor
- OFAC Issues Updated Ransomware Advisory
- COVID-19 Operations: How to Keep Vaccine-Related Data Safe
- Colorado Passes Comprehensive Consumer Privacy Law
- Understanding National Security Implications of Sensitive Data
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
Last week, the New York Attorney General’s office offered guidance regarding credential stuffing, a common and costly attack on businesses and consumers, in which threat actors repeatedly attempt to log in to online accounts using usernames and passwords stolen from other online services. Credential stuffing takes advantage of three aspects of the online ecosystem: (1) most online accounts utilize usernames and passwords; (2) a steady flow of data breaches has resulted in billions of stolen credentials being leaked onto the dark web for other threat actors to exploit; and (3) consumers tend to reuse the same passwords across multiple online services.
Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks. The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021). In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.
Last week, the Federal Bureau of Investigation issued a private industry notification warning that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI cautioned that ransomware attackers research publicly available information and target companies involved in significant, time-sensitive financial dealings such as M&A and other transactions. This initial reconnaissance, according to the FBI, is later followed by a ransomware attack and a subsequent threat that unless the victim pays the ransom, the attackers will disclose the information publicly, causing potential investor backlash and affecting the victim’s stock value.
The Federal Trade Commission recently announced a newly updated rule concerning the data security safeguards required for financial institutions to protect their customers’ financial information. The FTC’s updated Safeguards Rule, which originally was mandated by Congress under the 1999 Gramm-Leach-Bliley Act, requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The new rule more closely aligns with the NY Department of Financial Services Cybersecurity Regulation.
October is National Cybersecurity Awareness month, and the Department of Justice has chosen this month to roll out a new “Civil Cyber-Fraud Initiative.” The announced purpose of the Initiative is to actively pursue cybersecurity-related fraud claims by government contractors and grant recipients.
A bipartisan bill was introduced on October 5, 2021, in the Michigan Senate to amend the Michigan Identity Theft Protection Act (the “Act”). The bill, linked below, would create an affirmative defense to tort claims arising out of a security breach.
On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog.
In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities. OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI). The pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients.
Post authored by Mahja D. Zeon, an Associate in Honigman's Detroit office and Lauren Legner, a 2021 Summer Associate in the firm's Detroit office.
Employers have a right, and in some industries, even a requirement, to implement vaccine-related policies to promote workplace safety, but they must be mindful of the privacy implications. There are several competing concerns to weigh when deciding whether to implement vaccine-related policies. On the one hand, data regarding employee vaccination status may play an essential role in keeping the workplace safe from COVID-19 outbreaks. On the other hand, collecting and using such data implicates individual privacy and data security concerns. Should an employer choose to collect vaccine-related data, it must take the appropriate steps to keep this information safe. Here are three ways employers can implement vaccine-related, data-safe policies:
On the heels of Virginia’s Consumer Data Protection Act, Colorado recently passed its own comprehensive consumer privacy law. On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”). The CPA takes effect on July 1, 2023.
Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company. U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.