On October 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published an advisory to alert companies on potential sanctions risks related to ransomware payments (the “Advisory”). While ransomware attacks, by design, create business critical problems requiring swift attention and remediation, the Advisory cautions that victims of ransomware attacks, and ransomware-related services providers, must balance such considerations against the risk of sanctions liability. Continue Reading Between a Rock and a Hard Place: OFAC Issues Advisory on Ransomware Payments
On September 15, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert regarding its recent observation of growing “credential stuffing” attacks against SEC-registered investment advisers and broker-dealers (“firms”). These attacks use compromised usernames and passwords from the dark web to access investors’ accounts. The increase in credential stuffing exploits presents considerable financial, legal, and reputational risks. OCIE’s alert encourages firms to consider various mitigation efforts to reduce the risk of credential stuffing, particularly the use of multi-factor authentication (MFA). Although the alert is phrase as encouragement, OCIE is certainly suggesting that the industry standard should be for firms to protect against these attacks, even those these attack stem primarily from a client’s behavior in re-using username/password combination and another website’s loss of that combination. Continue Reading New OCIE Guidance on Credential Stuffing Attacks
A federal judge in Oregon, Hon. Michael H. Simon, has recently upheld a $925 million statutory damages award against health supplement maker ViSalus for its violation of the Telephone Consumer Protection Act (“TCPA”)—making this the largest TCPA damages award to date.
The underlying class action against ViSalus alleged the company placed nearly 2 million unsolicited robocalls nationwide to advertise its weight-loss and dietary products. The class argued that the robocalls constituted unlawful telemarketing practices and violated the TCPA, and after a three-day trial in April of 2019, a jury agreed. Continue Reading $925M TCPA Robocall Award Upheld
The Supreme Court generally upheld the constitutionality of the Telephone Consumer Protection Act (TCPA) in Barr v. American Association of Political Consultants, Dkt. No. 19-631, issued on July 6, 2020. Multiple stakeholders have been pressing on constitutionality of the TCPA, including advocates against “nuisance” robocalls, service providers weary of uncertain class action liability, and free speech advocates wanting less regulation. The Supreme Court determined that only an exception to the TCPA permitting automated government debt collector calls was an unconstitutional restriction on free speech. To remedy this violation, the Court rejected requests to find the entirety of the TCPA statute unconstitutional and instead affirmed the Fourth Circuit’s approach of severing of the offending exception from the statute.
The Supreme Court’s concerns about the governmental debt exception, however, could point to a vulnerability in other privacy statutes, such as the California Consumer Privacy Act, which exempts non-profits. Going forward, privacy advocates will need to be particularly mindful of free speech concerns as privacy legislation grows. Continue Reading Supreme Court Upholds Constitutionality of the TCPA But Severs the Government Debt Carve-Out on First Amendment Grounds
On August 14, 2020, California Attorney General Xavier Becerra announced the California Office of Administrative Law’s approval of the final California Consumer Privacy Act (CCPA) regulations, and filed them with the California Secretary of State. The AG’s office stated that the regulations are effective immediately.
The OAL made additional revisions to the March 11, 2020 regulations, summarized here, which itself comprised of revised regulations followed several rounds of public forums, hearings, and comment periods. At a high level, the final texts’ noteworthy substantive revisions from the March submission (noted in the OAG’s Addendum to the Final Statement of Reasons) include the following: Continue Reading CCPA Regulations Approved
On July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500. Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach. Continue Reading NYDFS Brings its First Cybersecurity Enforcement Action
On August 13, two California contact tracing bills, AB-660 and AB-1782, were approved by the California Senate Judiciary Committee. These bills would affect how public agencies can collect, store and disclose personal information that is used to facilitate COVID-19 contact tracing.
- If enacted, AB-660 would prohibit any use or disclosure of data collected for purposes of contact tracing other than further contact tracing efforts.
- If enacted, AB-1782 would require businesses using or providing contact tracing technologies to provide individuals with the right to consent, access, correct, and delete personal information about them, and to carry out other measures regarding use, security. and maintenance of the data.
On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020. The updated Specification updates the current Specifications that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information. Continue Reading China Updates its Personal Information Security Specification
The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert related to Ransomware on July 10, 2020. In the publication, Cybersecurity: Ransomware Alert, OCIE alerts companies to the increase in sophisticated campaigns orchestrated to invade financial institution networks in order to obtain confidential information and plant ransomware. The attacks generally involve perpetrators using “phishing and other campaigns designed to penetrate financial institution networks … to access internal resources and deploy ransomware.” Once the ransomware is deployed, institutions typically lose control of the ability to use and maintain the integrity of their systems and data until they pay a ransom to the attackers. Continue Reading OCIE’s Guidance on Ransomware Attacks
Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic. As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace. Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy. Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America