The Department of Justice recently announced a “disruption campaign” against the Blackcat ransomware group (aka ALPHV or Noberus), including seizing the group’s darknet website and releasing a decryption tool for victim entities to recover their systems.Continue Reading ALPHV/Blackcat Ransomware Group Announces New Rule: No Rules…Anything, Anywhere

The Big Apple now demands big commitments from financial institutions regarding cybersecurity practices. Yesterday, the New York State Department of Financial Services (“NYDFS”) adopted its second set of amendments to its 2015 “Cybersecurity Requirements For Financial Services Companies” (“Amended Cybersecurity Regulation”), with some amendments immediately going into effect. The law requires “covered entities,” including but limited to financial institutions or insurance providers authorized to conduct business in New York, to implement and maintain a cybersecurity program, to report cybersecurity events, and to annually certify their compliance with the law. The Amended Cybersecurity Regulation now requires:Continue Reading Security State of Mind: Amendments to NYDFS’s Cybersecurity Regulation Go Live

Many businesses think their websites, like a spacecraft following Newton’s laws of motion, should just keep going once established. What may be reasonable in deep space is not particularly safe in the galaxy of data privacy, which is choked with debris, asteroids, and radiation. This fall is as good a time as any to make sure your electronic presence is still on course—especially as more states come online with new laws and regulations in 2024. Consider three questions:Continue Reading Start Your Website Spring Cleaning – This Fall

The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.Continue Reading SEC Adopts New Cybersecurity Disclosure Requirements

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation

The Federal Trade Commission (“FTC”) recently issued a proposed order requiring BetterHelp, an online counseling service, to pay $7.8 million over misrepresentations to consumers and improper disclosures of consumers’ health information to advertisers, such as Facebook, Snapchat, Criteo, and Pinterest.[1] This order and consent agreement comes a month after the FTC entered a settlement with GoodRx for similar privacy violations, which we examined in the following article here.Continue Reading BetterHelp… Themselves: FTC Fines Company for Improper Deceptive Advertising Practices

Note: This story featuring commentary from Dykema’s Cinthia Granados Motley was originally published by Bloomberg Gov

  • Critical infrastructure industries would have to report hacks
  • Spending deal heading for House vote later on Wednesday

By Maria Curi | March 9, 2022, 5:31AM ET

Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.

The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday.
Continue Reading Cyberattack Reporting Requirements Included in Spending Deal

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors.
Continue Reading Cybercriminals Finding Success In Targeting New Industries

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July.
Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan.
Continue Reading CISA Issues Warning to Mitigate Widespread Vulnerability