CongressBipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

Bipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

On Wednesday July 21, 2021, Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021 (CINA). 

Under CINA, federal agencies, federal contractors, and critical infrastructure companies (Covered Entities) would need to notify the Cybersecurity and Infrastructure Security Agency (CISA) within twenty four hours of discovery of a cyber intrusion or a potential cyber intrusion.  Moreover, under CINA, Covered Entities would need to provide regular seventy two-hour updates to CISA until the cyber intrusion has been mitigated.

Covered Entities who report to CISA under CINA will be afforded certain protections regarding their reports, including the report not being admissible as evidence into any resulting criminal or civil actions and being exempt to subpoenas, except for those directly coming from Congress.

CINA provides that Covered Entities who fail to report a cyber intrusion to CISA are subject to penalties determined by the Administrator of the General Services Administration (GAO), including but not limit to removal from Federal Contracting Schedules.  Additionally, CINA also provides that Covered Entities who fail to report cyber intrusions to CISA may be “subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”

Beckage closely monitors changes in laws governing cybersecurity incidents and breaches of system security, including those which affect government contractors and suppliers.  Beckage’s team of attorneys and technologists are especially entuned with both responding to a data breach and understanding what a robust cybersecurity program would entail.  Beckage will continue to monitor CINA as it makes its way through the Senate and an update accordingly.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Beckage will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

Jordan FischerJordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer Named A 2021 Super Lawyers Rising Star For Third Year In A Row

Jordan L. Fischer, Esq., has been named to the 2021 Pennsylvania Rising Stars list for outstanding lawyers 40 years old or younger or in practice for 10 years or less. This is her third straight year, appearing on this list. Each year, no more than 2.5 percent of the lawyers in the state are selected by the research team at Super Lawyers to receive this honor.

Fischer leads Beckage’s Global Privacy team where she represents clients in cross-border data management, creating cost-effective and business-oriented approaches to cybersecurity, data privacy and technology compliance. She practices in several jurisdictions throughout the United States in both state and federal courts, as well as internationally in both Europe and Asia.

At Beckage, she provides counsel to clients on a wide variety of regulatory requirements, including the General Data Protection Regulation and implementing member state law, the California Consumer Privacy Act, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, biometric data laws, global data breach standards, and federal and state unfair business practices acts. She also provides counsel on a variety of security and privacy frameworks, including the International Standards Organization 27001 and 27701, the National Institute of Standards and Technology cyber and privacy frameworks, and the Payment Credit Card Industry Data Security Standard.

Super Lawyers, a Thomson Reuters business, is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high degree of peer recognition and professional achievement. The annual selections are made using a patented multiphase process that includes a statewide survey of lawyers, an independent research evaluation of candidates and peer reviews by practice area. The result is a credible, comprehensive, and diverse listing of exceptional attorneys.

About Beckage
Beckage is a women-owned law firm that focuses on technology, data security, and privacy. Our attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, incident response, government investigations, technology intellectual property, and emerging technologies such as Artificial Intelligence (AI), digital currencies, Internet of Things (IoT) devices, and 5G networks. Beckage has offices from California to New York. Learn more at Beckage.com

                                                                               ###

Contact: Morgan Neal
mneal@beckage.com
585.738.2438

Beckage in the News: Protecting Against Deepfakes

Beckage in the News: Protecting Against Deepfakes

Beckage Managing Director, Jennifer Beckage was quoted in a recent Super Lawyers article, where she detailed the steps businesses can take to protect against becoming a victim of a deepfake scam.

“The first step is educating the board and executive teams that these things can be out there, and be used to cause harm or embarrassment,” she says. “It’s not unusual for an executive to have something like this happen to try to smear or tarnish their reputation.”

She also notes there are tools available to help monitor for deepfakes, like Microsoft Video Authenticator, for example, which analyzes photo and video and gives users a confidence score regarding the validity of the sample. 

And then there’s common sense. “We all should be looking more critically at certain things in certain circumstances,” she says. “For example, if an employee receives a video from the president of their company directing them to wire money, ask, ‘Would the president usually send me a video?’”

Jennifer Beckage, Managing Director, Beckage.

Beckage also commented on the recent FBI warning about the rise of deepfakes, which gave consumers tips on how to spot a deepfake. 

“The agency suggests looking between the eyes—does it seem like there’s too much space? Also, does there seem to be an issue with lip and mouth synchronization?” Further guidance includes looking for strange movement in relation to the head and torso.

“But there’s nothing more important than having an incident-response plan,” Beckage says. “If you have a business continuity plan that walks an organization through a fire or a flood, you should have a plan in place that addresses the unique circumstances of a data-security incident. What we often see is that deepfakes are usually part of something else—they tend to arise in the context of a data breach.”

Jennifer Beckage, Managing Director, Beckage

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

1 2 3 4 5 24