Data Security

Subscribe to Data Security
shutterstock_1251170581

Cannabis companies nationwide are facing yet another statutory obstacle that can have serious (and potential ruinous) consequences for the emerging industry if not appropriately addressed—the Telephone Consumer Protection Act (“TCPA”). There is a recent uptick in class-action lawsuits filed against cannabis companies across the country premised on alleged violations of the TCPA including lawsuits in Michigan and California. These complaints allege cannabis companies sent unsolicited marketing text messages or placed automated phone calls to individuals without their consent. Cannabis dispensaries and other cannabis-related businesses should add TCPA compliance protocols to their checklist of regulatory requirements to be satisfied in this quickly emerging industry.

The TCPA

Enacted in 1991, the TCPA heavily regulates the ability to send phone, text, or facsimile messages through automatic telephone dialing systems. Non-compliance with the statute can be costly, as companies found to have violated the TCPA can be liable for $500 per call or text sent in violation of the Act, and up to $1,500 for willful or knowing violations. Damages are also not capped under the TCPA, so even a small number of texts or calls sent to a large number of recipients can lead to hefty damage awards. The ability to recover significant damages results in most TCPA claims being brought as class-actions. As a result, it is imperative that cannabis businesses that communicate with customers via text or by phone understand the rules governing the TCPA to avoid or at least minimize their liability exposure.
Continue Reading Why Cannabis Companies Need to Care About the TCPA

shutterstock_1202889130

Months ago, the Firewall warned that cybercriminals were taking advantage of the anxiety and insecurity from COVID-19 to promulgate phishing schemes, malware, and other schemes.  Interpol recently released a report (click here to download PDF from Interpol) warning of these dangers and other cybercriminal activity that exploits the current COVID-19 environment. As the Firewall advised in April, Interpol’s report notes that cybercriminals are taking advantage of the increased security vulnerabilities arising from the sudden shift to remote work.

Interpol groups the recent COVID-related cybercriminal activity into five categories.
Continue Reading COVID-19 Increases Data Security Threats, Interpol Warns

shutterstock_413633761

After the Fourth Circuit held that a commercial general liability (“CGL”) policy could cover a data incident in 2016, confusion arose as to whether CGL policies would continue to cover data breaches. A recent California lawsuit by the smart-TV maker Vizio against two of its insurance companies shows that this confusion also arises when an insured invokes CGL policies to cover litigation arising from alleged data misuse.

The smart-TV maker Vizio has faced multiple proposed class actions arising from the alleged sharing of its customers’ viewing data with third parties. Vizio recently reached a $17 million settlement to resolve multidistrict litigation (MDL) on behalf of 16 million Vizio owners alleging the sale of their data without their consent.
Continue Reading Somebody’s Watching Me: A Recent Smart-TV Lawsuit Seeks Insurance Coverage for Privacy Litigation

shutterstock_1083511010

Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

shutterstock_1385367863

On July 6, the United States Supreme Court issued its decision in Barr v. American Association of Political Consultants, Inc.. The Court considered whether a 2015 amendment to the Telephone Consumer Protection Act (“TCPA”) that created an exemption for debt collection calls relating to debts owed to, or guaranteed by, the federal government ran afoul the First Amendment. The American Association of Political Consultants, Inc. (“AAPC”) wished to make political calls to cell phones, just as the collectors of federal government debt are allowed to. The AAPC challenged the 2015 amendment’s constitutionality, claiming that it violated the First Amendment because it content-based and did not satisfy the strict scrutiny standard. The Fourth Circuit Court of Appeals agreed that the exemption unconstitutional but declined to strike down the entire TCPA as unconstitutional. The Fourth Circuit instead elected to sever the constitutionally offensive amendment and permit the balance of the TCPA to stand. The Supreme Court appeal considered two discrete questions: (1) whether the 2015 exemption for debt collection calls relating to government-backed debt was constitutional; and (2) if not, then what was the proper remedy to address the constitutional violation.
Continue Reading The Big TCPA Case That Wasn’t

shutterstock_702701905

The perils of personal identity theft are well-known, but criminals target more than individuals and their credit card numbers. In recent years, businesses have become a popular target for identity thieves aiming to exploit brand recognition and customer expectations in the pursuit of illicit gains. Corporate identity theft’s effect on businesses can range from brand dilution to the exposure of sensitive company information. Hackers and data thieves have employed a number of identity-theft techniques that have proven catastrophic for some businesses.

Many corporate identity thefts begin with “typosquatting,” where thieves register look-alike domain names that vary only by a single letter or domain extension from the address of a business’s actual domain name (for example, “goggle.com” as a typosquatter for Google, or verizon.org for Verizon, which uses a .com extension). Typoquatting can be used in several ways.
Continue Reading What’s Our Name Again? – Cyber Imposters Pose A Business Threat

shutterstock_441461692

Our first segment on APTs focused on the nature of the APT threat and the industries and data most at risk of these attacks. This section provides an in-depth overview of APT attack patterns and specific examples of APT attacks. Generally speaking, APT attack patterns overlap with popular cybersecurity attack pattern frameworks, such MITRE’s “PRE-ATT&CK and ATT&CK” and Lockheed Martin’s “Cyber Kill Chain” framework These frameworks break down network attacks into a series of stages that explain a threat actor’s conduct at each step of the attack. Although a number of threat actors and APTs share the attack patterns these frameworks describe, APT attacks approach these steps in a unique manner.
Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 2

shutterstock_402124762

The U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation recently released a joint advisory (the “Advisory”) outlining a number of cyber theft, ransomware, and money laundering operations originating from organized hacking groups sponsored by the North Korean government. According to the Advisory, these state-sponsored hacking groups have attempted to steal as much as $2 billion through cyber-enabled thefts on financial institutions as of late 2019, and are known to use automated digital currency transactions to launder their ill-gotten gains. These cyber-theft operations are among the latest in the list of high-profile breaches these actors are believed to have been responsible for, including the WannaCry 2.0 ransomware that hit a number of hospitals and corporations in the United States and abroad in May 2017, and the Sony Pictures Entertainment breach in November 2014.
Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 1

shutterstock_1186368262 (1)

The Genesis of Three Competing Federal Bills

In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA.
Continue Reading Federal Privacy Legislation: Where Are We and Where Are We Going?

shutterstock_565801447

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements:
Continue Reading District of Columbia Amended Privacy Law Creates New Requirements