Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

This article is the last in our series on the threat APTs pose (you can find part 1 here and part 2 here) and focuses on the practical steps organizations can take to guard against APT attacks. Given the sophisticated, patient nature of APTs and the varied methods they use to compromise their targets, no single solution can prevent APT attacks. However, companies that take a comprehensive approach to their security posture and maintain a strong understanding of their own data and network can mitigate the threats posed by these entities.

Specifically, strengthening compliance with cybersecurity laws and industry regulations, maintaining multiple layers of network security, and educating employees on APT attacks can help organizations defend against APT intrusions. Further, organizations with updated data inventories, a strong understanding of their data management policies, and a definite baseline of ordinary network activity can place themselves in the best position to identify APT activity before it is too late.
Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 3

On July 6, the United States Supreme Court issued its decision in Barr v. American Association of Political Consultants, Inc.. The Court considered whether a 2015 amendment to the Telephone Consumer Protection Act (“TCPA”) that created an exemption for debt collection calls relating to debts owed to, or guaranteed by, the federal government ran afoul the First Amendment. The American Association of Political Consultants, Inc. (“AAPC”) wished to make political calls to cell phones, just as the collectors of federal government debt are allowed to. The AAPC challenged the 2015 amendment’s constitutionality, claiming that it violated the First Amendment because it content-based and did not satisfy the strict scrutiny standard. The Fourth Circuit Court of Appeals agreed that the exemption unconstitutional but declined to strike down the entire TCPA as unconstitutional. The Fourth Circuit instead elected to sever the constitutionally offensive amendment and permit the balance of the TCPA to stand. The Supreme Court appeal considered two discrete questions: (1) whether the 2015 exemption for debt collection calls relating to government-backed debt was constitutional; and (2) if not, then what was the proper remedy to address the constitutional violation.
Continue Reading The Big TCPA Case That Wasn’t

Our first segment on APTs focused on the nature of the APT threat and the industries and data most at risk of these attacks. This section provides an in-depth overview of APT attack patterns and specific examples of APT attacks. Generally speaking, APT attack patterns overlap with popular cybersecurity attack pattern frameworks, such MITRE’s “PRE-ATT&CK and ATT&CK” and Lockheed Martin’s “Cyber Kill Chain” framework These frameworks break down network attacks into a series of stages that explain a threat actor’s conduct at each step of the attack. Although a number of threat actors and APTs share the attack patterns these frameworks describe, APT attacks approach these steps in a unique manner.
Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 2

The U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation recently released a joint advisory (the “Advisory”) outlining a number of cyber theft, ransomware, and money laundering operations originating from organized hacking groups sponsored by the North Korean government. According to the Advisory, these state-sponsored hacking groups have attempted to steal as much as $2 billion through cyber-enabled thefts on financial institutions as of late 2019, and are known to use automated digital currency transactions to launder their ill-gotten gains. These cyber-theft operations are among the latest in the list of high-profile breaches these actors are believed to have been responsible for, including the WannaCry 2.0 ransomware that hit a number of hospitals and corporations in the United States and abroad in May 2017, and the Sony Pictures Entertainment breach in November 2014.
Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 1

The Genesis of Three Competing Federal Bills

In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA.
Continue Reading Federal Privacy Legislation: Where Are We and Where Are We Going?

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements:
Continue Reading District of Columbia Amended Privacy Law Creates New Requirements

On the list of concerns recently expressed about police conduct, data privacy ranks relatively low. However, a recent privacy leak by the New York Police Department’s union has shown how data privacy concerns can arise in any situation.

On May 30, the NYPD union tweeted a picture of a computer screen showing recent NYPD arrests relating to the recent civil disturbances following the widely publicized deaths of George Floyd, Breonna Taylor, and others. New York mayor Bill de Blasio’s daughter, Chiara, appeared on the report. The unredacted screenshot showed her name, her birth date, and her driver’s license information—the last being considered personally identifiable information under New York law. Twitter removed the post as a violation of its rules and suspended the union’s account.
Continue Reading Government Data Leaks May Have Broad Data Privacy Implications

In a case of first impression, the Seventh Circuit just answered a much-anticipated question about standing in cases filed under the Illinois Biometric Information Privacy Act (“BIPA”).  Bryant v. Compass Grp. USA, Inc. decided whether a BIPA plaintiff has Article III standing. The answer is both yes and no.  This dual answer is not surprising given the awkwardness of the arguments presented. Though the holding is a victory for the defense bar, Bryant is the latest evidence of an ever-increasing circuit split that should culminate in the United States Supreme Court further clarifying its holding in Spokeo v. Robins concerning Article III standing.

Like most BIPA cases, the Bryant complaint was originally filed in Illinois state court. The Bryant plaintiff asserted claims under both sections 15(a) and 15(b) of BIPA. The former relates to the defendant’s failure to make publicly available disclosures, and the latter relates to the defendant’s failure to secure the plaintiff’s individual informed consent. The defendant removed the case to federal court. The plaintiff then moved to remand, ironically contending that she lacked a sufficiently concrete injury in fact to maintain Article III standing to maintain federal court jurisdiction. The defendant paradoxically argued that plaintiff alleged such an injury, relying on the Illinois Supreme Court opinion in Rosenbach v. Six Flags Entm’t Corp., wherein the court held that a violation of the right to receive certain information is an actionable grievance. The novelty of these arguments was not because of their substance, but instead, which side advanced them—an observation that Judge Wood noted in her opinion. Siding with the defendant, the district court remanded the case, and the plaintiff appealed.
Continue Reading BIPA Case Addressing Article III Standing Foreshadows Potential SCOTUS Review of Spokeo

Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.

In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles.
Continue Reading Data Security: What Happens at the End of the Road?