Data Security Law Blog Digest
In an effort to keep our readers up-to-date on the latest developments in cybersecurity law and regulation, we are pleased to share an overview of our team’s recent blog posts. We periodically send updates compiling links to our most recent blog posts and news. If you do not wish to receive email updates, please email Marketing to be removed from the distribution list.
As the national landscape of data privacy laws evolves, New York may be poised to follow California in passing legislation that creates new data rights for New York consumers. New York is no stranger to this field. The New York Department of Financial Services’ cybersecurity regulation was the first of its kind in the nation, aimed specifically at the banking and insurance industries. The Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act continued the trend beyond the financial services industry, heightening breach disclosure requirements and imposing enhanced rules for businesses holding the personal data of New York residents. And New York’s Governor, Andrew Cuomo, recently proposed a 2021 budget bill that contemplates a comprehensive data privacy law, the New York Data Accountability and Transparency Act (“NYDAT”), which would vastly expand the scope of New York’s privacy protections, creating an East Coast analogue to California’s CCPA. Click here to read the full post.
A federal court recently added additional wrinkles to one of the most important aspects of responding to a data breach: a forensic investigative report. The court ordered a law firm to turn over a report produced by a forensics firm engaged by the law firm’s counsel in the wake of a cyber incident. Experienced cyber counsel know that protecting the confidentiality of work product—including investigative reports—is critical in the aftermath of a breach and in ensuing litigation; this decision makes clear that companies and their counsel need to be as deliberate as ever to maintain the integrity of all appropriate legal privileges during a fast-moving breach response. Click here to read the full post.
As remote learning continues to play a critical role in the world’s pandemic response, cybercriminals see another opportunity for exploitation. The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued an Advisory warning of cyber-attacks to K-12 educational institutions. The Advisory reports that in August and September, ransomware incidents targeting K-12 education reported to the MS-SAC made up 57% of all reported ransomware incidents, up from 28% reported from January through July. Click here to read the full post.
The growing threat from ransomware is forcing organizations to re-think their cyber risk mitigation strategy. As private organizations and governments look ahead to 2021 and the risks they face in an increasingly uncertain world, ransomware will no doubt rank high on any list. Ransomware attacks involve the use of malware that encrypts the victim’s computing system, rendering files and data inaccessible until a demand for payment is met, and a decryption key is provided. Click here to read the full post.
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber-attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected. Click here to read the full post.
The United States Supreme Court heard oral argument on Monday in Van Buren v. United States, No. 19-783, a landmark case involving a key provision of the Computer Fraud and Abuse Act (“CFAA”). At issue was whether a person who is authorized to access information on a computer for certain purposes violates CFAA if that person accesses the same information for unauthorized reasons. The Court’s decision has the potential to resolve an important circuit split on the interpretation of CFAA and to define the contours of a hotly debated anti-hacking statute that applies to both criminal prosecutions and civil actions. Click here to read the full post.
As we previously reported, companies across the globe increasingly have been targeted by cyber criminals during the COVID-19 pandemic. Just last month, a major U.S. healthcare provider, United Health Services (“UHS”), suffered a ransomware attack, crippling its digital networks and forcing many UHS-owned facilities to rely on offline backups and paper charts to provide health care. The attack on UHS is one of the latest incidents in a trend of increasing ransomware attacks, a type of cyberattack in which cyber criminals use malware to block access to the victim’s computer system to extract a monetary payment. Ransomware victims are already faced with difficult decisions regarding payment and business continuity. But the underlying risk associated with such payments runs deeper, in no small part because cyber criminals are almost universally anonymous. Click here to read the full post.