The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.

In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote: Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July. Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan.

On December 13, 2020, the United States Cyber Security and Infrastructure Agency (CISA) issued Emergency Directive 21-01.[2] CISA recommends that “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” In the Emergency Directive, CISA provides additional suggested remediation steps. In light of the widespread use of SolarWinds products and services, which impacts entities beyond federal agencies, entities should also consider whether the CISA Emergency Directive also applies to their environment.

The Washington Post has reported that the Russian hacking group called “APT29” or “Cozy Bear” had carried out this attack and that APT29 has also breached the Treasure and Commerce Departments, along with other US government agencies. This blog has discussed APT29’s previous cyberattacks here.  The Firewall has analyzed APTs—advanced persistent threats—in depth here, here, and here.

For more information regarding this article, please contact Richard Halm.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.

[1] https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[2] https://cyber.dhs.gov/ed/21-01/

While public attention focused on the federal and state elections, Michigan voters made an important decision—they adopted Proposal 20-2, which amended Michigan’s Constitution to extend its protection from unreasonable searches and seizures to electronic data and communications. With the proliferation of personal electronic devices and storage of business information on computers used at home in the past few decades, federal and state courts, including the Supreme Court, have grappled with how to apply Fourth Amendment protections against unreasonable searches and seizures in a digital age. Although Proposal 20-2 might not change investigative practice, it clarifies that electronic data and communications are subject to the same protection against unreasonable search and seizure as other “traditional” information, such as paper records. Continue Reading Michigan Voters Add Constitutional Protections for Electronic Data and Communications

On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.

The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.) Continue Reading FTC Settles Complaint Against Zoom Regarding End-to-End Encryption

“This article was originally published with Security Toolbox on September 15, 2020. You can view the original content, here.”

Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.

Like it or not, domestic and international politics have invaded the field of data security.  Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions. Continue Reading Political Cost of Data Leaks: Data Security in the Crosshairs

Just over eight months after the effective date of the California Consumer Privacy Act (CCPA), the California Office of Administrative Law (OAL) approved the final California Attorney General’s CCPA regulations on June 1, 2020. The regulations are effective immediately.

In conjunction with the release of the final version of the regulations, the AG released an Addendum to Final Statement of Reasons explaining that it had (1) withdrawn certain provisions for additional consideration and (2) any changes to the text of the June 1, 2020 regulations were “non-substantive” and for “accuracy, consistency, and clarity.” The AG defined “non-substantive” as those changes that “clarify without materially altering the requirements, rights, responsibilities, conditions or prescriptions contained in the original text.” Continue Reading CCPA Regulations Are Now Final

Cannabis companies nationwide are facing yet another statutory obstacle that can have serious (and potential ruinous) consequences for the emerging industry if not appropriately addressed—the Telephone Consumer Protection Act (“TCPA”). There is a recent uptick in class-action lawsuits filed against cannabis companies across the country premised on alleged violations of the TCPA including lawsuits in Michigan and California. These complaints allege cannabis companies sent unsolicited marketing text messages or placed automated phone calls to individuals without their consent. Cannabis dispensaries and other cannabis-related businesses should add TCPA compliance protocols to their checklist of regulatory requirements to be satisfied in this quickly emerging industry.

The TCPA

Enacted in 1991, the TCPA heavily regulates the ability to send phone, text, or facsimile messages through automatic telephone dialing systems. Non-compliance with the statute can be costly, as companies found to have violated the TCPA can be liable for $500 per call or text sent in violation of the Act, and up to $1,500 for willful or knowing violations. Damages are also not capped under the TCPA, so even a small number of texts or calls sent to a large number of recipients can lead to hefty damage awards. The ability to recover significant damages results in most TCPA claims being brought as class-actions. As a result, it is imperative that cannabis businesses that communicate with customers via text or by phone understand the rules governing the TCPA to avoid or at least minimize their liability exposure. Continue Reading Why Cannabis Companies Need to Care About the TCPA

Months ago, the Firewall warned that cybercriminals were taking advantage of the anxiety and insecurity from COVID-19 to promulgate phishing schemes, malware, and other schemes.  Interpol recently released a report (click here to download PDF from Interpol) warning of these dangers and other cybercriminal activity that exploits the current COVID-19 environment. As the Firewall advised in April, Interpol’s report notes that cybercriminals are taking advantage of the increased security vulnerabilities arising from the sudden shift to remote work.

Interpol groups the recent COVID-related cybercriminal activity into five categories. Continue Reading COVID-19 Increases Data Security Threats, Interpol Warns

After the Fourth Circuit held that a commercial general liability (“CGL”) policy could cover a data incident in 2016, confusion arose as to whether CGL policies would continue to cover data breaches. A recent California lawsuit by the smart-TV maker Vizio against two of its insurance companies shows that this confusion also arises when an insured invokes CGL policies to cover litigation arising from alleged data misuse.

The smart-TV maker Vizio has faced multiple proposed class actions arising from the alleged sharing of its customers’ viewing data with third parties. Vizio recently reached a $17 million settlement to resolve multidistrict litigation (MDL) on behalf of 16 million Vizio owners alleging the sale of their data without their consent. Continue Reading Somebody’s Watching Me: A Recent Smart-TV Lawsuit Seeks Insurance Coverage for Privacy Litigation