The FTC Fires Its First Shot Under the HBNR

Last month, the Federal Trade Commission (“FTC”) announced its first-ever enforcement action under the Health Breach Notification Rule (“HBNR” or “the Rule”). In a complaint filed in February, the agency alleged that GoodRx Holdings Inc., a prescription drug discount and telehealth provider, violated the HBNR by sharing users’ personal health information with third-party digital advertising providers without users’ consent. The FTC also alleged that GoodRx violated Section 5 of the Federal Trade Commission Act (“FTC Act”) by engaging in unfair and deceptive business practices related to its data-sharing. The company did not admit to any wrongdoing, but agreed to pay a $1.5 million civil penalty and take corrective action as part of a settlement entered on February 17, 2023.
Illinois Supreme Court Rules that BIPA Claims Accrue with Each Scan or Transmission

The Illinois Supreme Court recently issued a decision that could have wide-ranging implications for defendants and plaintiffs alike under the Illinois Biometric Information Privacy Act (BIPA). In response to a certified question from the U.S. Court of Appeals, the Illinois Supreme Court ruled that damages claims under BIPA accrue on each violation, not just the first.
Breaking-free from the Hive

On January 26, 2023, the Department of Justice announced its successful “months-long disruption campaign” against a ransomware group known as Hive, signaling the United States’ increased efforts to combat ransomware attacks and the groups responsible for them.
Supreme Court Backs Away from Deciding Scope of Attorney-Client Privilege
The Supreme Court has declined, for now, to decide when attorney-client privilege will apply to communications viewed by courts as made for both legal and other purposes. In October 2022, the Court granted certiorari in In re Grand Jury, No. 21-1397, and heard argument on January 9, 2023. In a surprise decision on January 23, 2023, however, it dismissed the appeal, holding that review of the lower court’s decision was “improvidently granted.”
Medibank’s Ransomware Saga Continues
GoCompounding Consequences for Australian Health Insurer Following Breach

Medibank, one of Australia’s largest private health insurers, detected a ransomware attack in October 2022. The attackers, believed to be part of a criminal organization based in Russia, exfiltrated approximately 9.7 million customers’ sensitive data and threatened to publish it online if Medibank refused to meet its ransom demand. In an unusual twist, the company reported that its systems had not been encrypted by the attackers.
New York DFS Proposes Revisions to Landmark Cybersecurity Regulation

On Wednesday, November 9, 2022, the New York Department of Financial Services (“DFS”) announced proposed revisions to New York State’s landmark Cybersecurity Regulation, 23 NYCRR Part 500. The proposed amended regulation (“Amended Cybersecurity Regulation”) will be subject to comment for 60 days, after which DFS will review the comments received and either propose a revised version or adopt the final regulation. If adopted, the revisions will impose new requirements, including new reporting and access control requirements; enhanced governance obligations; detailed written policies, plans, and procedures; and enhanced testing and mandatory cybersecurity awareness training on an annual basis.
New York DFS Penalizes Carnival Cruises in Cybersecurity Enforcement Action
On June 24, 2022, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with Carnival Corporation d/b/a Carnival Cruise Line, Princess Cruise Lines, Holland America Line, Seabourn Cruise Line, and Costa Cruise Lines (collectively, the “Carnival Companies”), after finding several violations of the New York State’s first-in-the nation Cybersecurity Regulation (23 NYCRR Part 500, hereinafter the “Regulations”). The settlement, memorialized in a consent order, provides that the Carnival Companies must pay a $5 million penalty. Notably, also in connection with the settlement, the Carnival Companies agreed to surrender their New York State insurance licenses. The story serves as a cautionary tale—a cybersecurity event that catches DFS’s attention might lead DFS to discover several underlying and unreported violations of the Regulations during its investigation into that event.
Government Contractor Compliance in the World of Cybersecurity
Nothing is certain in life except death, taxes, and now, data breaches. Data breaches are almost an unavoidable cost of doing business in a globally connected world. As if being victimized by cybercriminals wasn’t enough, cybersecurity and data privacy increasingly have become the focus of private class action litigation and government enforcement actions.
Looking Back on the Breach: Fundamentals of Preserving Privilege of Forensic Analyses in the Wake of a Data Breach
As we have written previously, preserving privilege of forensic analyses can be critically important in the aftermath of a data breach. Questions of privilege and work-product protection routinely arise in post-breach litigation, especially concerning forensic investigation reports. Plaintiffs target these materials in discovery because they often provide a roadmap to the attack and include details regarding the victim business’s defenses and internal steps taken in response to a breach. Over the years, courts have grappled with these issues and reached varying results. In their recent article in the Cybersecurity Law Report, Alejandro Cruz and Elana Stern consider the case law to offer five analytical themes, as well practical guidance that may help maximize the protection afforded to post-breach forensic analyses in follow-on litigation.
Wegmans, New York Attorney General Enter Settlement to Resolve Data Security Investigation
In a sign that it may be stepping up enforcement of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), the New York Attorney General’s Office (“NYAG”) announced on June 30, 2022 that it had reached a settlement with Wegmans, the national supermarket chain, for exposing the personal information of more than three million consumers nationwide, including more than 830,000 New Yorkers.
DOJ Issues New Guidance for Charging CFAA Cases
In a significant development in anti-hacking criminal enforcement, the Department of Justice last week released new guidance for charging violations of the Computer Fraud and Abuse Act (“CFAA”), the nation’s premier computer crime law. Coming on the heels of a series of closely-watched legal decisions, including the Supreme Court’s 2021 decision in Van Buren v. United States, No. 19-783, the guidance clarifies the Department’s priorities for CFAA-related criminal prosecutions and seeks to create nationwide uniformity in charging decisions. In the newly-released policy, the Department makes clear its position that CFAA prosecutions should focus on unauthorized cyber intrusions made in bad faith—rather than hyper-technical or hypothetical violations of the law.
Ransomware Attacks Case Studies Provide Rare Learning Opportunities

Ransomware attacks have become headline news in the mainstream media, and a hot topic not only on this blog but in government circles. And with good reason as the United States suffered a staggering 421.5 million ransomware attempts last year alone, a 98% increase from 2020. This figure comes from United States Senate Committee on Homeland Security and Governmental Affairs new staff report titled “America’s Data Held Hostage: Case Studies in Ransomware Attacks on American Companies.” It details three companies’ experiences responding to attacks by Russia-based ransomware group REvil. The companies varied in size and industry but their previously established incident response plans in place helped mitigate the damage from the attacks. However, the companies reported receiving little assistance from the Federal Government, highlighting the need for change at the federal level to better combat future attacks.
Fourth Time’s the Charm—Utah Will Become Latest State to Enact Privacy Legislation
Utah is poised to become the latest state to jump on the privacy bandwagon. Last week, the Utah Consumer Privacy Act (“UCPA”) passed both houses of the state legislature. Once Governor Spencer Cox signs the bill, Utah will become the fourth state—after California, Virginia, and Colorado—to enact comprehensive privacy legislation. In fact, the UCPA seems to borrow heavily from its predecessors, and in particular is very similar to Virginia’s Consumer Data Privacy Act (“VCDPA”). Businesses serving customers in Utah will need to plan to comply with the law by December 21, 2023.
White House Issues Further Guidance for Federal Agencies on Cybersecurity Priorities

The White House recently issued a Memorandum designed to strengthen the cyber defenses of “National Security Systems” – information systems operated by the federal government that are used for intelligence or military purposes. The Memorandum comes at a time when cyberthreats to government actors are substantial. For example, back in December, the Virginia legislature was the target of a ransomware attack that threatened to delay the start of its legislative session. Similarly, multiple agencies of the Ukrainian government have recently been the target of substantial cyberattacks.
Ransomware’s Exponential Growth Echoes the History of Hijackings
Throughout the COVID-19 crisis, we have focused on the significant uptick in ransomware attacks. Government agencies such as OFAC, CISA, and New York’s DFS have updated their guidance on how to prepare for and respond to such attacks and provided tools to help stop ransomware attacks. Cybersecurity also continues to be a major focus of private enterprise. Despite businesses and government agencies’ increased attention to ransomware, however, 2021 is shaping up to be the most profitable year for data-nappers yet. In fact, according to a recent report by OFAC, ransomware payments in 2021 are on track to exceed the total amount paid over the previous ten years combined.
DFS Issues New Guidance Regarding Cybersecurity Regulation and the Adoption of an Affiliate’s Cybersecurity Program
On October 22, 2021, the New York State Department of Financial Services (“DFS”) issued new Guidance regarding a Covered Entity’s compliance with New York’s Cybersecurity Regulation where the Covered Entity relies on the cybersecurity programs of an Affiliate. The Guidance provides much-needed clarity on a topic that impacts many entities subject to the DFS Regulation.
OFAC Ransomware Guidance: Prepare, Report, and (Preferably) Don’t Pay the Ransom!
As we have previously reported, there has been a major uptick over the past few years—and particularly during the COVID-19 pandemic—in ransomware attacks. These attacks consist of an intrusion by a cybercriminal into the victim’s computers or network, followed by deployment of malware that encrypts the victim’s files, preventing access until a payment is made. More recently, these ransomware attacks also include exfiltration of data as a way to generate even more leverage over the victim. The incentives for victims of ransomware attacks to pay the ransom are substantial: the need to stop the attack, regain access to their data, restore business functions, and ensure that any stolen data is destroyed and not sold or exploited by bad actors make these attacks existential events. On the other hand, making these ransomware payments brings its own risks. This includes substantial regulatory risk as those payments may run afoul of the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) guidance—since the payments may be made to parties who are on OFAC’s black list. Although there have not yet been any OFAC enforcement actions against those who have made ransomware payments, companies should be aware of the risk of going forward with a ransom payment.
SEC Continues Pursuit of Cybersecurity Enforcement
Last month, we wrote about three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement. In keeping with this theme, the SEC announced a number of significant new cybersecurity actions just last week. On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.” All eight firms agreed to settle with the SEC and will collectively pay hundreds of thousands of dollars in fines. These most recent actions underscore that companies should be mindful of whether their cybersecurity policies and procedures comply with SEC requirements and expectations.
Massive T-Mobile Data Breach Reignites Calls for National Privacy and Data Security Law
A little over two weeks ago, T-Mobile became the latest victim of a cyberattack when more than 50 million of their customers’ data was stolen. In the ensuing weeks, three class action suits have been filed against the telephone carrier alleging a range of violations. Included in two of them are alleged violations of the California Consumer Privacy Act, one of them includes alleged violations of the Washington State Consumer Protection Act, and the third fails to allege any violations of state data security laws. Three House Representatives pointed to the breach as a reminder as to why there needs to be a national privacy and data security law. One such bill is the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.
Another Court Says Data Breach Investigation Report Is Fair Game
In a recent ruling with important consequences for data breach litigation, a federal court in Pennsylvania ruled that Rutter’s—a Pennsylvania convenience store chain that suffered a data breach—must disclose the investigative report it commissioned from a third-party after the breach. This is a recurring issue in data breach litigation and one that has far-reaching implications for how companies respond to data breaches or other security incidents. This is also the latest entry in an evolving, and not entirely consistent, line of cases that are broadly chipping away at the attorney-client privilege and the work-product doctrine protections companies argue should apply to their investigative reports.
Supreme Court Clarifies Standing Requirements – Implications for Class Action Defendants in Data Security, Privacy, and False Advertising Cases
On June 25, the Supreme Court held in a 5-4 decision that Article III prohibits certification of a class and a damages award where the majority of class members lack actual injury. In TransUnion v. Ramirez, the Ninth Circuit Court of Appeals had previously concluded that a class of over 8,000 individuals who could prove violations of the Fair Credit Reporting Act—and had actually proved them at trial—had standing to pursue damages at trial, even if they had not demonstrated that they had suffered concrete harm. The Ninth Circuit reasoned that violations placed the class members at sufficient risk of harm to confer standing. The Supreme Court reversed, and in so doing, reinforced its earlier holdings that Article III compels each plaintiff to show concrete harm.
SEC Signals Renewed Interest in Cybersecurity Disclosure Enforcement
The SEC is ramping up its cybersecurity disclosure enforcement. While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents. That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement. First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure. Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018. And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack. In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.
Are You Ready for Ransomware? CISA Launches New “Stop Ransomware” Website Aimed at Testing Your Cybersecurity Preparedness
The federal government has been grappling with a holistic response to the massive uptick in destructive ransomware attacks that have bombarded the country in recent years. As part of that response, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched a “Stop Ransomware” website, which is aimed at helping private and public entities test and improve their cybersecurity. Among other key features of this effort is a self-assessment tool allowing organizations to test their cybersecurity based on government and industry recommendations and standards. This is a potentially useful addition to any organization’s cyber preparedness toolkit. They may also become another benchmark against which the “reasonableness” of any company’s data security protections are measured when facing private claims or regulatory scrutiny after a ransomware attack.
Taking the Ransom Out of Ransomware? Debate on Ransomware Payments Picks Up

The price tags of several high-profile ransomware attacks have made headlines over the past couple of months. Colonial Pipeline, which supplies roughly 45% of the fuel for the East Coast, paid a $4.4 million ransom to hackers (though the FBI reportedly recovered some $2.3 million of it back). JBS USA, a major meat processing company, paid $11 million. With hackers making millions of dollars through single attacks, a debate has arisen about what to do, if anything, about ransomware payments. Some have proposed banning them outright, taking issue with the incentive structure such payments appear to create, while others warn about the negative and unintended consequences an outright ban could have, especially for the victims of an attack.
New York City Enacts A Biometric Privacy Law
Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses. The new law goes into effect July 9, meaning applicable businesses have a couple more weeks to prepare themselves for its requirements. Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions.
Supreme Court Narrowly Interprets CFAA to Avoid Criminalizing “Commonplace Computer Activity”
On June 3, 2021, the United States Supreme Court issued a 6-3 opinion in Van Buren v. United States, No. 19-783, resolving the circuit split regarding what it means to “exceed[] authorization” for purposes of the Computer Fraud and Abuse Act (the “CFAA”). The Court held that only those who obtain information from particular areas of the computer which they are not authorized to access can be said to “exceed authorization,” and the statute does not—as the government had argued—cover behavior, like Van Buren’s, where a person accesses information which he is authorized to access but does so for improper purposes.
Biden Administration Sets Sights on Cybersecurity with Executive Order

The Biden Administration is zeroing in on cybersecurity. In the wake of a high-profile wave of cyberattacks, including the SolarWinds supply chain attack and the more recent Colonial Pipeline ransomware attack, President Biden has issued an Executive Order (“EO”) designed to strengthen the federal government’s cybersecurity defenses. And for good reason. The SolarWinds supply chain attack in particular raises significant national security concerns, as hackers were able to access several federal agencies, including the United States Departments of Homeland Security, Defense, State, Treasury, and Commerce’s National Telecommunications and Information Administration. Issued on May 12, 2021, the EO seeks to prevent similar cyber-attacks by directing federal agencies to make a series of changes in how they approach cybersecurity. While the EO is necessarily limited in what it can do—it cannot, for example, make more sweeping reforms such as amending the woefully outdated Computer Fraud and Abuse Act used to prosecute hackers—it is a significant step. Here are the main highlights.
Second Circuit Affirms Dismissal of Class Action Based on Claimed “Increased Risk” of Harm
Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company? A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing. However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.
New York DFS Announces Settlement With Insurance Company Under Cybersecurity Regulation
On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.
New York Gets Ready to Jump on the Biometric Bandwagon
Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations of the law.
Recent Developments in the State Data-Privacy Landscape: Is Federal Involvement the Best Way Forward?
With a dizzying array of state privacy laws on the horizon, the prospect of a federal solution has come into sharp focus. Rather than a patchwork of regional legislation, a comprehensive national framework would potentially govern the precautions that companies must take when electronically collecting, using and storing customers’ personal information, regardless of where in the country the company—or the consumer—is located. That is the current situation in the European Union under the General Data Protection Regulation (GDPR), and has been for many years. It might one day be the case in the United States as well, if advocates of omnibus federal data privacy legislation have their way.
Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset
A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction. That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT. NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games. The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation. And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020. But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.
NIST Publishes Key Practices in Cyber Supply Chain Risk Management

The recent SolarWinds attack alerted the world to the risk of a cyber supply chain attack—an attack through or on your company’s vendors or suppliers. It is increasingly clear that even if you take all the right steps to secure your own computer systems, your company—and your company’s data—is only as secure as the weakest link among your suppliers. This risk includes attacks that might infect your computer systems, as well as the risk that your suppliers’ businesses will be disrupted.
Supreme Court Mulls Class Action Standing in TransUnion v. Ramirez

On Tuesday, the United States Supreme Court heard oral argument in TransUnion LLC v. Sergio L. Ramirez, No. 20-297, focusing on whether a class of individuals who experience a risk of harm that never materializes have standing to sue. Although the case itself does not involve a data breach, the Court’s answer to the standing question could have significant implications for the viability of data breach class action lawsuits moving forward.
Forensic Analysis and Privilege in the Wake of a Data Breach
In the wake of a data breach, counsel will often require the assistance of a forensic firm in order to provide legal advice to their client. The forensic analysis—which is often memorialized in a report to counsel—is crucial for counsel in understanding what occurred and formulating legal strategy relating to potential litigation and breach notification issues. For the same reasons, details of those forensic analyses and any related investigative reports are very likely to be the subject of a discovery request from plaintiffs if and when litigation ensues. Indeed, the requests for such reports are frequently a flashpoint in litigation that can determine the strength or weakness of the plaintiff’s case. Defendants typically object to producing these reports on the grounds that they fall under the attorney-client privilege and work-product protection.
California Privacy Rights Act: The Five Biggest Changes You Need to Know Now

Last November, California voters approved Proposition 24, enacting the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Protection Act (“CCPA”), which was already the most sweeping consumer data protection law in the U.S. Wondering what you should know about California’s new Privacy Rights Act? We dug into the new law and identified the five biggest changes.
Win for Walmart as District Court Gives Strict Reading to CCPA
In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA). In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website. Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.” Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury
New York DFS Fines Mortgage Lender in Cybersecurity Enforcement Action
New York’s Department of Financial Services (“DFS”) announced on Wednesday, March 3, 2021, that an independent mortgage lender, Residential Mortgage Services Inc. (“RMS”), has agreed to pay a $1.5 million fine to the agency in a settlement resulting from violations of its Cybersecurity Regulation. This is just the second enforcement action brought by DFS under the Cybersecurity Regulation, which was the first of its kind nationally.
Judge Finds No Article III Standing in Proposed Class Action Against Marriott
The question of standing has proven to be a tricky one in data breach litigation. (See our prior coverage here and here). Last week a federal district court in Maryland rejected a proposed class action brought by Marriott guests related to a data breach suffered by the hotel chain in early 2020, finding that the plaintiffs did not have Article III standing because they could not trace any alleged injury to particular actions or inactions by Marriott. This decision is an important reminder that the fact of a breach is not itself sufficient to confer standing, even where personal data is improperly accessed. In other words, even though a company that had your data suffered a data breach, you may not have been injured by its actions.
Virginia Joins California with Passage of New State Data Privacy Law
On Tuesday, March 2, 2021, Virginia became the second U.S. state to enact a broad data privacy regime after Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law. Virginia follows California, which became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in June 2018. The CCPA became operative January 1, 2020 after several amendments necessary for its implementation, which we previously covered here and here. (California is set to enact another privacy law entitled the California Privacy Rights Act (CPRA) - to update the CCPA in November 2020.) There is also a raft of other state privacy laws in the pipeline, and Virginia’s new law aligns with a trend toward states ratcheting up broadly applicable privacy-related legal obligations.
New York Has More to Say About Consumer Data Privacy
As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers. New York is no stranger to this field. The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries. The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents. And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA.
Peeling Away the Privilege: Another Court Orders Production of Data Breach Investigation Report

A federal court recently added additional wrinkles to one of the most important aspects of responding to a data breach: a forensic investigative report. The court ordered a law firm to turn over a report produced by a forensics firm engaged by the law firm’s counsel in the wake of a cyber incident. Experienced cyber counsel know that protecting the confidentiality of work product—including investigative reports—is critical in the aftermath of a breach and in ensuing litigation; this decision makes clear that companies and their counsel need to be as deliberate as ever to maintain the integrity of all appropriate legal privileges during a fast-moving breach response.
Cyber Attacks Targeting K-12 Education Are On the Rise

As remote learning continues to play a critical role in the world’s pandemic response, cybercriminals see another opportunity for exploitation. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued an Advisory warning of cyber-attacks to K-12 educational institutions. The Advisory reports that in August and September, ransomware incidents targeting K-12 education reported to the MS-SAC made up 57% of all reported ransomware incidents, up from 28% reported from January through July.
Ransomware as Reminder: Back to Basics of Cyber Readiness
The growing threat from ransomware is forcing organizations to re-think their cyber risk mitigation strategy. As private organizations and governments look ahead to 2021 and the risks they face in an increasingly uncertain world, ransomware will no doubt rank high on any list. Ransomware attacks involve the use of malware that encrypts the victim’s computing system, rendering files and data inaccessible until a demand for payment is met, and a decryption key is provided.
Hack of IT Service Provider May Affect Thousands of Private Businesses
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.
Supreme Court Hears Oral Argument in Landmark CFAA Case
The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”). At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons. The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions.
Who’s On the Other Side: OFAC Releases Guidance on Ransomware Payments and Sanctions Enforcement

As we previously reported, companies across the globe increasingly have been targeted by cyber criminals during the COVID-19 pandemic. Just last month, a major U.S. healthcare provider, United Health Services (“UHS”), suffered a ransomware attack, crippling its digital networks and forcing many UHS-owned facilities to rely on offline backups and paper charts to provide health care. The attack on UHS is one of the latest incidents in a trend of increasing ransomware attacks, a type of cyberattack in which cyber criminals use malware to block access to the victim’s computer system to extract a monetary payment. Ransomware victims are already faced with difficult decisions regarding payment and business continuity. But the underlying risk associated with such payments runs deeper, in no small part because cyber criminals are almost universally anonymous. A recent advisory (the “Advisory”) from the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) provides guidance on ransomware payments that may implicate U.S. sanctions. The Advisory makes clear that parties that pay or facilitate ransomware payments may face substantial legal consequences if a payment is made to a party subject to U.S. sanctions, whether the payor knows of those sanctions or not.
Government Warns of New Cyber Threats Targeting U.S. Businesses
The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses. These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access. Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware. This is just the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.
Ransomware Attacks During COVID-19
As we previously described and as reflected in the rapidly increasing number of cyber-attacks since its start, the COVID-19 pandemic has triggered a shift in working practices that hackers and other bad actors are using to their advantage. Recent studies show a 273% percent rise in large-scale data breaches in the first quarter of 2020, compared to prior-year statistics, and a 109% year-over-year increase in ransomware attacks in the United States through the first half of 2020. This post will focus specifically on ransomware attacks targeting researchers working on a COVID-19 vaccine and how these attacks have evolved since the start of the pandemic.
- Page 1 of 9