The City of Portland, Oregon becomes the first city in the United States to ban the use of facial recognition technologies in the private sector citing, among other things, a lack of standards for the technology and wide ranges in accuracy and error rates that differ by race and gender. Failure to comply can be
Uncategorized
NYDFS Files First Enforcement Action Under Reg 500
On July 21, 2020, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). Reg 500, which took effect in March 2017, imposes wide-ranging and rigorous requirements on subject organizations and their service providers, which are summarized…
EU-U.S. Privacy Shield Program for Transfer of Personal Data to U.S. Found Invalid
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”). The matter, arising from the transfer of Schrems’ personal data by Facebook Ireland to Facebook Inc. in the United States, presented questions…
Supreme Court Weighs in on TCPA Constitutionality
In a much-anticipated Supreme Court decision, Barr v. American Association of Political Consultants, sure to impact the future of the Telephone Consumer Protection Act (“TCPA”), the Court addressed the issue of whether the government-debt exception to the TCPA’s automated-call restriction violates the First Amendment, and whether the proper remedy for any constitutional violation is…
The California Privacy Rights Act (“CPRA”) Headed to the November 2020 Ballot
As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as…
Legislators and Regulators Weigh in On Privacy and Data Security Protections for Healthcare Providers Amid COVID-19 Pandemic
As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.
On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s…
U.S. Supreme Court Will Finally Weigh in on Scope of CFAA
The United States Supreme Court recently granted a petition for certiorari in Van Buren v. United States addressing the issue of whether it is a violation of the Computer Fraud and Abuse Act (“CFAA”) when an individual who is authorized to access information on a computer, accesses the same information for an improper purpose. The…
FCC’s Declaratory Ruling on the TCPA’s “Emergency Purposes” Exception During COVID-19: Does it apply to Workplace Correspondence?
The Telephone Consumer Protection Act (“TCPA”) generally prohibits the use of automated dialing equipment or prerecorded voice messages to make calls, send text messages, or send faxes absent prior consent of the called party. This includes calls or texts to cellular phone numbers as well as calls to residential lines. There are limited exceptions to…
UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
In the US, many organizations anxiously awaiting assistance under the CARES Act are becoming the targets of cyberattackers looking to feed off of the massive relief being provided by the US treasury. Yesterday, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of a substantial increase in these attacks, providing helpful guidance concerning the nature of the attacks and related information.
Specifically, the alert provides information on exploitation by cybercriminal and advanced persistent threat (APT) groups of the current coronavirus disease 2019 (COVID-19) global pandemic. It includes a non-exhaustive list of indicators of compromise (IOCs) for detection as well as mitigation advice. The alert notes that the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.
Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Here are just a few of those steps.
Before an Attack
- Build the right team
- Ensure you have an IT team in place, whether internal or through a third-party vendor, that is well-versed in emerging threats and prepared to support the organization in the event of an attack.
- Secure the systems
- Conduct a risk assessment and penetration test to understand the potential for exposure to malware.
- Implement technical measures and policies that can prevent an attack, such as endpoint security, multi-factor authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.
- Make your employees aware of the risks and steps they must take in case of an attack
- This is particularly critical now – educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently.
- Employees should avoid revealing personal or financial information about themselves, other employees, customers, and the company in email, including wiring instructions. If they must, they should confirm by phone.
- Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
- Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures) and what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).
- Maintain backups
- Backup data early and often.
- Keep backup files disconnected from the network and in separate locations.
- Develop and practice an “Incident Response Plan”
- Identify the internal team (e.g., leadership, IT, general counsel, and HR).
- Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).
- Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.
- Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).
- Plan to identify, assess, and comply with legal and contractual obligations.
- Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.
After an Attack
Continue Reading UK and US Issue Joint Cybersecurity Alert Concerning Explosion of COVID-19 Phishing Attacks
California AG Urges Congress Not to Preempt the CCPA
Earlier this month, California Attorney General (“AG”) Xavier Becerra sent a letter to several members of U.S. Congress, providing an update on the implementation of the newly effective California Consumer Privacy Act (CCPA), and urging Congress not to enact a federal law that would preempt the CCPA and other state consumer privacy measures. Instead, AG…