The Illinois Supreme Court unanimously ruled on Thursday that the Illinois Biometric Information Privacy Act (BIPA) is not preempted by the Illinois Workers’ Compensation Act (IWCA).

This decision clears the way for employees to pursue BIPA statutory damages ($1,000 for each negligent violation or $5,000 for each intentional or reckless violation), a significant and costly defeat for employers in a case that was followed closely by attorneys on both sides of the bar.

Continue Reading BIPA Lives On: Illinois Supreme Court Rejects Common Employer Defense of Workers’ Comp Preemption

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors. Continue Reading Cybercriminals Finding Success In Targeting New Industries

On August 11, 2021, the Federal Financial Institutions Examination Council (the “FFIEC”) issued new guidance on risk management principles for access to and authentication of electronic funds transfers for the first time in over a decade, titled Authentication and Access to Financial Institution Services and Systems (the “New Guidance”).[1] The New Guidance effectively replaces the FFIEC’s prior guidance on this topic, including its original guidance issued in 2005, Authentication in an Internet Banking Environment (the “Original Guidance”), and the supplement issued in 2011 in response to increased fraud in Internet-based financial transactions (the “Supplement,”[2] and together with the Original Guidance, the “Guidance”). The Guidance was intended to set regulatory expectations for financial institutions offering Internet-based financial services to both commercial and consumer customers.

Continue Reading An Enhanced Standard of Commercial Reasonableness for Security Procedures? The FFIEC Updates Its Authentication Guidance for Internet-Based Financial Services

The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.

In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote: Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July. Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan. Continue Reading CISA Issues Warning to Mitigate Widespread Vulnerability

While public attention focused on the federal and state elections, Michigan voters made an important decision—they adopted Proposal 20-2, which amended Michigan’s Constitution to extend its protection from unreasonable searches and seizures to electronic data and communications. With the proliferation of personal electronic devices and storage of business information on computers used at home in the past few decades, federal and state courts, including the Supreme Court, have grappled with how to apply Fourth Amendment protections against unreasonable searches and seizures in a digital age. Although Proposal 20-2 might not change investigative practice, it clarifies that electronic data and communications are subject to the same protection against unreasonable search and seizure as other “traditional” information, such as paper records. Continue Reading Michigan Voters Add Constitutional Protections for Electronic Data and Communications

On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.

The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.) Continue Reading FTC Settles Complaint Against Zoom Regarding End-to-End Encryption

“This article was originally published with Security Toolbox on September 15, 2020. You can view the original content, here.”

Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.

Like it or not, domestic and international politics have invaded the field of data security.  Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions. Continue Reading Political Cost of Data Leaks: Data Security in the Crosshairs

Just over eight months after the effective date of the California Consumer Privacy Act (CCPA), the California Office of Administrative Law (OAL) approved the final California Attorney General’s CCPA regulations on June 1, 2020. The regulations are effective immediately.

In conjunction with the release of the final version of the regulations, the AG released an Addendum to Final Statement of Reasons explaining that it had (1) withdrawn certain provisions for additional consideration and (2) any changes to the text of the June 1, 2020 regulations were “non-substantive” and for “accuracy, consistency, and clarity.” The AG defined “non-substantive” as those changes that “clarify without materially altering the requirements, rights, responsibilities, conditions or prescriptions contained in the original text.” Continue Reading CCPA Regulations Are Now Final