shutterstock_1083511010

Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.

Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

shutterstock_771481831

This article is the last in our series on the threat APTs pose (you can find part 1 here and part 2 here) and focuses on the practical steps organizations can take to guard against APT attacks. Given the sophisticated, patient nature of APTs and the varied methods they use to compromise their targets, no single solution can prevent APT attacks. However, companies that take a comprehensive approach to their security posture and maintain a strong understanding of their own data and network can mitigate the threats posed by these entities.

Specifically, strengthening compliance with cybersecurity laws and industry regulations, maintaining multiple layers of network security, and educating employees on APT attacks can help organizations defend against APT intrusions. Further, organizations with updated data inventories, a strong understanding of their data management policies, and a definite baseline of ordinary network activity can place themselves in the best position to identify APT activity before it is too late. Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 3

shutterstock_1385367863

On July 6, the United States Supreme Court issued its decision in Barr v. American Association of Political Consultants, Inc.. The Court considered whether a 2015 amendment to the Telephone Consumer Protection Act (“TCPA”) that created an exemption for debt collection calls relating to debts owed to, or guaranteed by, the federal government ran afoul the First Amendment. The American Association of Political Consultants, Inc. (“AAPC”) wished to make political calls to cell phones, just as the collectors of federal government debt are allowed to. The AAPC challenged the 2015 amendment’s constitutionality, claiming that it violated the First Amendment because it content-based and did not satisfy the strict scrutiny standard. The Fourth Circuit Court of Appeals agreed that the exemption unconstitutional but declined to strike down the entire TCPA as unconstitutional. The Fourth Circuit instead elected to sever the constitutionally offensive amendment and permit the balance of the TCPA to stand. The Supreme Court appeal considered two discrete questions: (1) whether the 2015 exemption for debt collection calls relating to government-backed debt was constitutional; and (2) if not, then what was the proper remedy to address the constitutional violation. Continue Reading The Big TCPA Case That Wasn’t

shutterstock_702701905

The perils of personal identity theft are well-known, but criminals target more than individuals and their credit card numbers. In recent years, businesses have become a popular target for identity thieves aiming to exploit brand recognition and customer expectations in the pursuit of illicit gains. Corporate identity theft’s effect on businesses can range from brand dilution to the exposure of sensitive company information. Hackers and data thieves have employed a number of identity-theft techniques that have proven catastrophic for some businesses.

Many corporate identity thefts begin with “typosquatting,” where thieves register look-alike domain names that vary only by a single letter or domain extension from the address of a business’s actual domain name (for example, “goggle.com” as a typosquatter for Google, or verizon.org for Verizon, which uses a .com extension). Typoquatting can be used in several ways. Continue Reading What’s Our Name Again? – Cyber Imposters Pose A Business Threat

shutterstock_441461692

Our first segment on APTs focused on the nature of the APT threat and the industries and data most at risk of these attacks. This section provides an in-depth overview of APT attack patterns and specific examples of APT attacks. Generally speaking, APT attack patterns overlap with popular cybersecurity attack pattern frameworks, such MITRE’s “PRE-ATT&CK and ATT&CK” and Lockheed Martin’s “Cyber Kill Chain” framework These frameworks break down network attacks into a series of stages that explain a threat actor’s conduct at each step of the attack. Although a number of threat actors and APTs share the attack patterns these frameworks describe, APT attacks approach these steps in a unique manner. Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 2

shutterstock_402124762

The U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation recently released a joint advisory (the “Advisory”) outlining a number of cyber theft, ransomware, and money laundering operations originating from organized hacking groups sponsored by the North Korean government. According to the Advisory, these state-sponsored hacking groups have attempted to steal as much as $2 billion through cyber-enabled thefts on financial institutions as of late 2019, and are known to use automated digital currency transactions to launder their ill-gotten gains. These cyber-theft operations are among the latest in the list of high-profile breaches these actors are believed to have been responsible for, including the WannaCry 2.0 ransomware that hit a number of hospitals and corporations in the United States and abroad in May 2017, and the Sony Pictures Entertainment breach in November 2014. Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 1

shutterstock_1186368262 (1)

The Genesis of Three Competing Federal Bills

In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA. Continue Reading Federal Privacy Legislation: Where Are We and Where Are We Going?

shutterstock_565801447

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements: Continue Reading District of Columbia Amended Privacy Law Creates New Requirements

shutterstock_746642194

On the list of concerns recently expressed about police conduct, data privacy ranks relatively low. However, a recent privacy leak by the New York Police Department’s union has shown how data privacy concerns can arise in any situation.

On May 30, the NYPD union tweeted a picture of a computer screen showing recent NYPD arrests relating to the recent civil disturbances following the widely publicized deaths of George Floyd, Breonna Taylor, and others. New York mayor Bill de Blasio’s daughter, Chiara, appeared on the report. The unredacted screenshot showed her name, her birth date, and her driver’s license information—the last being considered personally identifiable information under New York law. Twitter removed the post as a violation of its rules and suspended the union’s account. Continue Reading Government Data Leaks May Have Broad Data Privacy Implications

shutterstock_1725136630

Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest. Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over