LockOn July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500.  Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.
Continue Reading NYDFS Brings its First Cybersecurity Enforcement Action

UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”

While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches.
Continue Reading Universities and Hospitals Facing Increased Cyber Attacks

BillKarl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new Security Breach Protection Amendment Act of 2019 requires entities to maintain “reasonable security safeguards,” significantly expands the definition of “personal information,” imposes new requirements to notify the Attorney General’s Office, and mandates 18 months of free credit monitoring for breaches involving social security or tax identification number.
Continue Reading New D.C. Data Security Requirements and Amended Breach Requirements to Take Effect by June 12, 2020

Digital LockIn news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack.  In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have apparently been impacted and the UK Information Commissioner’s Office (ICO) has been informed.
Continue Reading easyJet Suffers Data Breach Involving Nine Million Customers

CABusinesses within the scope of California’s groundbreaking privacy law, the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, may need to revise privacy policies and change their compliance programs once again if a new ballot initiative passes this November. Californians for Consumer Privacy, the group that sponsored the CCPA, announced last week that it is submitting over 900,000 signatures in favor of the California Privacy Rights Act (CPRA) to qualify the initiative for the November 2020 ballot.
Continue Reading 2020 Ballot Initiative to Expand California Privacy Law Receives 900,000 Signatures