The FTC recently settled its enforcement action involving data privacy and security allegations against an online seller of customized merchandise. In addition to agreeing to pay $500,000, the online merchant consented to multiyear compliance, recordkeeping, and FTC reporting requirements. The essence of the FTC’s seven count Complaint is that the merchant failed to properly disclose
Cyber Incident, Ransom Payment Reporting to DHS Mandatory for Critical Infrastructure Entities
Included within the Consolidated Appropriations Act, 2022, signed by President Joe Biden on March 15, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Act) creates new data breach reporting requirements. This new mandate furthers the federal government’s efforts to improve the nation’s cybersecurity, spurred at least in part by the Colonial Pipeline cyberattack that snarled the flow of gas on the east coast for days and the SolarWinds attack. It’s likely the threat of increasing cyberattacks from Russia in connection with its war effort in Ukraine also was front of mind for Congress and the President when enacting this law.
In short, the Act requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):
- a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
- any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported in i. above)
Supplemental reporting also is required if substantial new or different information becomes available and until the covered entity notifies DHS that the incident has concluded and has been fully mitigated and resolved. Additionally, covered entities must preserve information relevant to covered cyber incidents and ransom payments according to rules to be issued by the Director of the Cybersecurity and Infrastructure Security Agency (Director).
The effective date of these requirements, along with the time, manner, and form of the reports, among other items, will be set forth in rules issued by the Director. The Director has 24 months to issue a notice of proposed rulemaking, and 18 months after that to issue a final rule.
Some definitions are helpful.
- Covered entities. The Act covers entities in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that meet the definition to be established by the Director. Examples of these sectors include critical manufacturing, energy, financial services, food and agriculture, healthcare, information technology, and transportation. In further defining covered entities, the Director will consider factors such as the consequences to national and economic security that could result from compromising an entity, whether the entity is a target of malicious cyber actors, and whether access to such an entity could enable disruption of critical infrastructure.
- Covered cyber incidents. Reporting under the Act will be required for “covered cyber incidents.” Borrowing in part from Section 2209(a)(4) of Title XXII of the Homeland Security Act of 2002, a cyber incident under the Act generally means an occurrence that jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or an information system. To be covered under the Act, the cyber incident must be a “substantial cyber incident” experienced by a covered entity as further defined by the Director.
- Information systems. An information system means a “discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” which includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.
- Ransom payment. A ransom payment is the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.
A report of a covered cyber incident will need to include:
Continue Reading Cyber Incident, Ransom Payment Reporting to DHS Mandatory for Critical Infrastructure Entities
Not-For-Profits, Charities Might Attract More Donors with Improved Website Content, Attention to Privacy
According to Giving USA, charitable contributions in 2020 exceeded $470 billion, 70 percent of which came from individuals. Individuals deciding to donate to a particular organization may be considering factors beyond the organization’s particular mission, however compelling it may be. Misleading GoFundMe campaigns, FTC crackdowns on deceptive charities, and poorly run organizations are
Do Employers Need a CISO for ERISA Compliance?
According to a recent survey, about 45% of companies do not have a Chief Information Security Officer (CISO). As West Monroe’s “The Importance of a CISO” observes, it would be terrific for all organizations to have a CISO, but that simply may not be practical for some, particularly smaller organizations. Recent internal
California State Senator Introduces a BIPA-like Law to Protect Biometric Information
Some members of the California legislature want their state to remain the leader for data privacy and cybersecurity regulation in the U.S. This includes protections for biometric information, similar to those under the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (BIPA). State Senator Bob Wieckowski introduced SB 1189 on February 17,
Massachusetts Privacy Bill Provides WISP Reminder, Safe Harbor for Punitive Damages
When Massachusetts issued its data security regulations in 2009 (Regulations), it led the way for states on data security. The Regulations became effective 12 years ago, almost to the day, March 1, 2010. The Bay State is now contemplating comprehensive privacy legislation, the Massachusetts Information Privacy and Security Act (MIPSA), similar to what has been
SEC to Advisors and Funds – Adopt and Implement Cybersecurity Policies and Procedures
On February 9, the Securities and Exchange Commission (“SEC”) voted to propose rule 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act (collectively, “Proposed Rule”). In general, the Proposed Rule would require all advisers and funds to adopt and implement cybersecurity policies and procedures containing several elements. While acknowledging spending on cybersecurity
Jump in Facial and Voice Recognition Raises Privacy, Cybersecurity, Civil Liberty Concerns
Facial recognition, voiceprint, and other biometric-related technology are booming, and they continue to infiltrate different facets of everyday life. The technology brings countless potential benefits, as well as significant data privacy and cybersecurity risks.
Whether it is facial recognition technology being used with COVID-19 screening tools and in law enforcement, continued use of fingerprint-based time
Top 10 for 2022 – Happy Data Privacy Day!
In honor of Data Privacy Day, we provide the following “Top 10 for 2022.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2022.
- State Consumer Privacy Law Developments
On January 1, 2020, the CCPA ushered into the U.S. a range of new rights for
Fraud, Data Breaches Continuing to Crush Federal and State Unemployment Benefit Departments, Pennsylvania’s Next?
Few want to get past the COVID-19 pandemic more than leaders of federal and state unemployment benefit departments. For the last 2 years they have been successfully targeted for fraud and data breaches, racking up billions in losses. Thousands of employees across the country, including yours truly, have had false claims submitted in their name.