Digital LockOn Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.

Continue Reading Meet the US’s New Federal IoT Cybersecurity Law

GDPROn 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers.  The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount.  Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
Continue Reading British Airways Fined £20 Million by ICO for Data Breach

LockOn July 22, 2020, New York’s Department of Financial Services (NYDFS) filed its first cybersecurity enforcement action against First American Title Insurance Company (First American), seeking civil monetary penalties for several violations of its cybersecurity regulation, 23 NYCRR §500.  Entities subject to New York’s Financial Services Law, such as First American, may be subject to a civil penalty up to $1,000 per violation or up to $5,000 per intentional violation, and according to NYDFS, each instance of unauthorized disclosure of NPI constitutes a separate violation. Therefore, an enforcement action under 23 NYCRR §500 may result in a hefty fine, particularly in the even of a large-scale data breach.
Continue Reading NYDFS Brings its First Cybersecurity Enforcement Action

UPDATE July 17, 2020: Representatives of the U.S., British and Canadian governments reported yesterday that Russian hackers affiliated with known hacking group APT29 (or “Cozy Bear”) are targeting attacks on health care organizations researching COVID-19 vaccines. Cozy Bear, previously involved in the 2016 hacking of the Democratic National Committee, has reportedly been using spear-phishing and malware in an effort to steal the research. This announcement comes on the heels of a spate of attacks against research universities and health care organizations in recent months, described below.”

While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches.
Continue Reading Universities and Hospitals Facing Increased Cyber Attacks

BillKarl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new Security Breach Protection Amendment Act of 2019 requires entities to maintain “reasonable security safeguards,” significantly expands the definition of “personal information,” imposes new requirements to notify the Attorney General’s Office, and mandates 18 months of free credit monitoring for breaches involving social security or tax identification number.
Continue Reading New D.C. Data Security Requirements and Amended Breach Requirements to Take Effect by June 12, 2020

Digital LockIn news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack.  In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have apparently been impacted and the UK Information Commissioner’s Office (ICO) has been informed.
Continue Reading easyJet Suffers Data Breach Involving Nine Million Customers

CABusinesses within the scope of California’s groundbreaking privacy law, the California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, may need to revise privacy policies and change their compliance programs once again if a new ballot initiative passes this November. Californians for Consumer Privacy, the group that sponsored the CCPA, announced last week that it is submitting over 900,000 signatures in favor of the California Privacy Rights Act (CPRA) to qualify the initiative for the November 2020 ballot.
Continue Reading 2020 Ballot Initiative to Expand California Privacy Law Receives 900,000 Signatures