Photo of Anna Chan

Cyber SecurityWhat Is Tax-Related Identity Theft?

Fraudulent tax refunds issued as a result of identity theft occur when an individual steals a victim’s personally identifiable information (PII), such as a Social Security number (SSN), and files a tax return claiming to be the victim. More than 89,000 Americans filed complaints with the Federal Trade Commission (FTC) reporting tax fraud linked to identity theft in 2020. Similarly, businesses may also fall victim to tax fraud, where an individual steals a business’s employer identification number (EIN) to file fraudulent returns. In both scenarios, the victims usually discover they have fallen victim to such fraud when their tax returns are rejected, or when the business receives notice about Forms W-2 they didn’t file with the Social Security Administration or notices for balances due to the Internal Revenue Service (IRS) that are not owed. Most frequently, neither businesses nor individuals will have any reliable information as to how their information has been exposed. The IRS has noted such tax fraud tends to increase during tax season and time of crisis, and cybercriminals have undeniably taken advantage of the COVID-19 pandemic to unleash an unprecedented number of tax fraud schemes to steal information from taxpayers.
Continue Reading Best Practices to Avoid Tax-Related Identity Theft

LockOn July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500.  Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.
Continue Reading NYDFS Brings its First Cybersecurity Enforcement Action

Digital LockThe SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert related to Ransomware on July 10, 2020. In the publication, Cybersecurity: Ransomware Alert, OCIE alerts companies to the increase in sophisticated campaigns orchestrated to invade financial institution networks in order to obtain confidential information and plant ransomware. The attacks generally involve perpetrators using “phishing and other campaigns designed to penetrate financial institution networks … to access internal resources and deploy ransomware.” Once the ransomware is deployed, institutions typically lose control of the ability to use and maintain the integrity of their systems and data until they pay a ransom to the attackers.
Continue Reading OCIE’s Guidance on Ransomware Attacks

Cyber SecurityWe reported last summer on two new legislative enactments in New York putting new demands on how companies handle the personal data of New York residents: the Identity Theft Protection and Mitigation Services Act (ITPMS Act), and the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). Both were signed into law on July 25, 2019, and as described below, both have since then come gradually into full effect. This includes their most significant feature: as of March 21, 2020, “any business that owns or licenses computerized data which includes private information of a resident of New York” now faces the prospect of an enforcement action by the New York Attorney General’s (AG) Office for the assessment of penalties if the company fails to develop, implement and maintain “reasonable safeguards” for the protection of that information.
Continue Reading “Reasonable Safeguards Requirement” For Personal Information of New York Residents Now Kicks In (with even broader Privacy/Security Legislation Still in the Offing)

CCPAThe California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite requests made by multiple trade associations for delay in the enforcement of CCPA due to COVID-19, the California Attorney General’s office has declined to delay enforcement, which is set to begin July 1, despite the AG’s failure to release final regulations.

The AG’s office first released proposed regulations in October 2019, our summary of the draft regulations can be found here. After the new year, the AG released two sets of modifications to the draft regulations on February 10 and March 11. At a privacy and data security conference last week, a staff member from the California state legislature commented that, due to the pressures and working circumstances created by COVID-19, the most recent version of the regulations, published March 11, are likely to be the version used for enforcement beginning in July. Significantly, the office rejected suggestions that the regulations be delayed because corporations are experiencing these same COVID-19 pressures.
Continue Reading CCPA Regulations Are Likely Final