United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

United States Department of Homeland Security (DHS) Announces New Grant Plan to Slow Epidemic Spread of Cyber Attacks

Businesses may be able to take a little sigh of relief that some help may be coming to the persistent threat of ransomware attacks.  The DHS announced that significant funds will be provided to a number of public and private sectors to help improve the nation’s protection against data security attacks and other crises.

The Feb. 25 Announcement

On February 25, 2021, DHS announced its funding notice for several different types of cyber preparedness grants worth nearly $1.87 billion.  After noticing a rise in both the number and complexity of cyber threats faced by communities, including targeted ransomware attacks on our infrastructure, hospital, transportation systems, DHS identified five critical priority areas for attention for its fiscal 2021 grant cycle: 1) cybersecurity; 2) soft targets and crowded places; 3) intelligence and information sharing; 4) domestic violent extremism; and 5) emerging threats.  These grant programs provide funding to state, local, tribal/territorial governments, transportation authorities, nonprofit organizations, and the private sector to improve the nation’s readiness in preventing, protecting against, responding to, recovering from terrorist attacks, major disasters, and other emergencies.

The DHS announced several non-competitive grants which are to be awarded to recipients based on several factors:

  • State Homeland Security Program – The State Homeland Security Program provides $415 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets;
  • Urban Area Security Initiative – The Urban Area Security Initiative provides $615 million to enhance regional preparedness and capabilities in 31 high-threat, high-density areas; and
  • Emergency Management Performance Grant (“EMPG”) – EMPG provides more than $355 million to assist state, local, tribal, and territorial governments in enhancing and sustaining all-hazards emergency management capabilities; and
  • Intercity Passenger RailAmtrak Program – The Amtrak Program provides $10 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system.

Moreover, the DHS announced several competitive grants, including:

  • Operation Stonegarden – Operation Stongarden provides $90 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders;
  • Tribal Homeland Security Grant Program – The Tribal Homeland Security Grant Program provides $15 million to eligible tribal nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards;
  • The Nonprofit Security Grant Program – The Nonprofit Security Grant Program provides $180 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack;
  • Port Security Grant Program – The Port Security Grant Program provides $100 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities;
  • Transit Security Grant Program – The Transit Security Grant Program provides $88 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure; and
  • Intercity Bus Security Program – The Intercity Bus Security Program provides $2 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.

Impact on Business

Private sector businesses can apply for these grants, especially if they are in the process of developing and creating cyberwarfare and other data defense tools.  Grant  information can be found here.

Beckage has responded to countless data breaches and is always comforted to see more dollars that foster collaboration between public and private sectors to help defend and protect U.S. business and more.

If you have questions about the grant dollars or how to apply, please contact a Beckage attorney at 716.898.2102.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Data BreachUpcoming National Data Breach Notification Legislation

Upcoming National Data Breach Notification Legislation

Among growing pressure in the wake of the allegedly state-sponsored SolarWinds cyber attack , federal legislators on both sides of the isle have expressed renewed interest in a federal data breach notification law.  Currently, each state has it own data breach notification law governing notice requirements to individuals, state attorneys general, and credit reporting agencies, when personal identifiable information such as names, social security numbers, and credit card information are accessed or acquired as part of data breach.  As a result, data breach response involves a host of competing timelines for business to notify various individuals and organizations.  This can prove to be inconsistent, complex, costly, and time consuming.

In an attempt to streamline the data breach notification process, Representatives Michael McCaul (R-TX-10), ranking member of the House Foreign Affairs Committee, and Jim Langevin (D-RI-2), chair of the House Armed Services Committee’s cybersecurity subcommittee, are drafting a bill which would create a federal mandatory breach notification.  The proposed bill would involve removing sources, methods, and names out of notifications and sending them to the Cybersecurity and Infrastructure Security Agency (“CISA”).  Moreover, the proposed bill will incorporate input from the Cyberspace Solarium Commission, a group established by Congress comprised of lawmakers and other officials with the purpose of developing a strategic approach to our nation’s defense against cyberattacks.  The Cyber Solarium Commission released its first report in March 2020 calling for several government reforms including, but not limited to: issuing an update to our National Cyber Strategy; establishing a permanent House and Senate Committee on Cybersecurity; and strengthening CISA.

Moreover, the proposed bill is expected to be based on, in large part, previously drafted legislation by Rep. Langevin in 2017 entitled “Personal Data Notification and Protection Act of 2017” (“PDNPA”).  See Personal Data Notification and Protection Act of 2017, H.R. H.R.3806, 115 Cong. (2017).  The PDNPA was introduced into the house on September 18, 2017, in the wake of the Equifax breach , but died in committee as political energy began to change focus.

The PDNPA required, in relevant part, that “any business entity engaged in or affecting interstate commerce that uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify…any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired.”  See id at § 2(a).

Notice under the PDNPA was to be completed by one of the following methods: i) written notification to the last known home mailing address of the individual in the records of the business entity; ii) telephone notification to the individual personally; iii) e-mail notification, if the individual consented, and if consistent with the 01 of the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001); or if the number of individuals affected exceeded 5,0000 person, notification could have been provided to media “reasonably calculated to reach such individuals”.  See id at § 7. 

Similarly, PDNPA required a business entity who suffered a data breach affecting greater than 5,000 persons to notify credit reporting agencies.  See id at § 6.  PDNPA provided authority to the Federal Trade Commission to enforce penalties; however, it also recognized state attorneys general could, in the interest of the residents of their state, bring civil action against violators imposing fines of $1,000 per day per individual whose personal identifiable information was exposed with a maximum of $1,000,000 per violation, unless the business entity’s conduct was found to be willful or intentional.  See id at §§ 8-9. 

Finally, PDNPA was to supersede all state laws regarding breach notification by a business entity engaged in interstate commerce who suffers a data breach.  See id at § 10.  Whereas PDNPA never was enacted, the proposed legislation will likely closely mirror the above-referenced terms.

The Beckage Incident Response team will continue to monitor any developments regarding a national data breach notification law and will update its guidance accordingly. Our attorneys are nationally recognized for our experience working on data breaches, including some of the most notorious cyber incidents in recent history. If your business is in the midst of navigating the complexities surrounding a recent data breach, our team can be reached anytime via  our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.

Cyber InsuranceDFS February 2021 Guidance To Cyber Insurers

DFS February 2021 Guidance To Cyber Insurers

On February 4, 2021, the New York State Department of Financial Services (DFS) issued specific guidance to property/casualty insurers writing cyber insurance policies, known as the Cyber Insurance Risk Framework (“Framework”). The DFS promoted itself as the first US regulator in the nation to issue a specific guidance on cyber insurance, explaining the suggestions of the Framework are based on continued dialogue with the insurance industry and experts in cyber insurance regarding the shifting landscape of cybersecurity.

With the Covid-19 pandemic forcing companies to shift to an online workforce, cybercrimes, like ransomware and malware attacks, have drastically increased in frequency, severity, and cost to victimized companies. Cybercriminals use payments extorted from ransomware to fund more frequent and sophisticated ransomware attacks, emboldening them to target other organizations and widen their campaigns. The widespread use of ransomware has pressured cyber insurers to increase rates and tighten underwriting standards for cyber insurance.

The DFS advises New York regulated property/casualty insurers offering cyber insurance to establish a formal strategy for measuring cyber insurance risks that can be approved by a board or a governing entity. The Framework acknowledges that strategies should be proportionate with each insurer’s risk based on the insurer’s size, resources, geographic distribution, market share, and industries insured.  It is important to note the Framework constitutes a list of best practices and suggested approaches and does not yet constitute rules or regulations for the insurance industry.

The Cyber Insurance Risk Framework encourages cyber insurers to formalize a Cyber Insurance Risk Assessment Strategy that is managed by a governing body and establishes and/or formalizes qualitative and quantitative measures and goals for cyber risk that incorporate six best practices identified by DFS:

  1. Manage and Eliminate Exposure to “Silent” Cyber Insurance Risk

Cyber insurers should determine whether they are exposed to silent or non-affirmative cyber insurance risk, an insurer’s obligation to cover cyber incident losses under a policy that does not explicitly mention cyber incidents. The Framework suggests that insurers evaluate their silent risk exposure and take steps to minimize that exposure.

2. Evaluate Systemic Risk

Cyber insurers should conduct regular systemic risk evaluations and plan for potential losses. Increased reliance on third-party vendors has caused systemic risk to grow exponentially and thus, insurers should understand the third parties used by their insureds and model the effect of catastrophic cyber events that may result in simultaneous losses.

3. Rigorously Measure Insured Risk by Using Data

Cyber insurers should use a comprehensive, data-driven approach to assess their insured’s potential gaps and cybersecurity vulnerabilities.

4. Educate Insureds and Insurance Producers

Cyber insurers should educate their insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations of cyber insurance.

5. Obtain Cybersecurity Expertise

Cyber insurers can use strategic recruiting practices to hire employees with cybersecurity experience and invest in their training and development.

6. Require Notice to Law Enforcement

In the event of a cyberattack, cyber insurance policies should require victims notify and engage law enforcement agencies to help recover lost data and funds.

This guidance brings operational and other challenges to those in the property/casualty insurance market. It also adds new potential requirements to pass along to their insureds. For example, insureds may not know that their policy will require notification of law enforcement, and they may have reasons not to notify law enforcement, but if they choose not to it can lead to a coverage dispute.

Beckage advises those in the insurance industry on risk management, cybersecurity best practices and measures, third-party vendor management, and incident response.  Beckage also works with global clients to evaluate risk management, including opportunities to obtain various cyber and tech related coverage. We can be reached 24/7 via our data breach hotline at 844.502.9363 or IR@beckage.com.

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

Identity TheftEleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Eleventh Circuit Adds to Circuit Split on Whether Future Risk of ID Theft Can Support Data Breach Class Claims

Courts across the United States continue to struggle with whether individuals impacted by a company’s data breach have suffered harm that is concrete enough to support their claims in court. 

After they are notified of a data breach involving their personal data, impacted individuals often join together to bring class action claims against the business for its alleged failure to safeguard their data, breach of privacy promises regarding that data, and under applicable state consumer laws.

Data Breach Class Actions & Standing Requirements

One area that courts have shown a willingness to scrutinize is the question of whether these individuals have alleged, or can show they have experienced, actual harm from the data incident, to satisfy the Constitutional Article III requirement known as standing. 

Plaintiffs continue to present novel theories of why access to their data by an unauthorized third party harmed them in a way that a court may remedy, especially in instances where no facts exist to show that their data has actually been misused.  Plaintiffs will often allege that they lost some value associated with their data, or associated with the use of their data.  By far the most prominent theory submitted by data breach plaintiffs is that these individuals are now at a higher risk of future identity theft and that future relief, such as credit monitoring, should be offered to them to prevent against this risk.

But how great is this risk of future identity theft, really? According to a recent Eleventh Circuit decision, not substantial enough to support Article III standing.

The I Tan Tsao Decision

In affirming the dismissal of a customer’s proposed class action against Florida-based fast-food chain, PDQ, over a data breach that allegedly exposed plaintiffs’ credit and debit card information, the Eleventh Circuit held that the plaintiff I Tan Tsao did not present a sufficient injury claim as a basis for bringing the suit.  There, Mr. Tsao alleged that he and members of his class were at an elevated risk of future identity theft due to the restaurant chain’s breach, and that he had to take certain mitigative steps to reduce this risk, such as cancelling his credit cards.  Plaintiff Tsao relied primarily on a 2007 GAO Report on Data Breaches in support of his theory.

The Eleventh Circuit did not find Mr. Tsao’s hypothetical future risk of identity theft compelling enough for Article III standing purposes.

“We hold that Tsao lacks Article III standing because he cannot demonstrate that there is a substantial risk of future identity theft — or that identity theft is certainly impending — and because he cannot manufacture standing by incurring costs in anticipation of non-imminent harm,” the three-judge panel said.

In relying on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, the Eleventh Circuit concluded that a plaintiff alleging a hypothetical harm does not have standing unless that harm is either “certainly impending” or represents a “substantial risk” of harm.  And if the alleged risk does not rise to those levels, a plaintiff cannot “conjure standing by inflicting some direct harm on itself to mitigate a perceived risk.”

The Eleventh Circuit also rejected Mr. Tsao’s use of the GAO Report, holding that the Report’s findings actually supported that the limited data potentially exposed here – credit and debit card numbers – alone, did not lead to a higher incidence of future identity theft.

Nor could Mr. Tsao’s mitigative steps – to cancel his credit card, which he alleged led to a period of restricted access to his account and lost reward points – manufacture a harm for standing purposes.  “It is well established that plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” the Circuit court held, citing to Clapper.

The Court’s decision in I Tan Tsao v. Capitva MVP Restaurant Partners LLC aligns it with the Second, Third, Fourth and Eighth Circuit Courts of Appeal who have rejected the theory, while the Sixth, Seventh, Ninth and D.C. circuits have accepted it.

The Supreme Court has yet to hear an Article III standing case in the data breach context, leading legal spectators to wonder if the I Tan Tsao decision now presents the high Court with an opportunity to provide such guidance.

Beckage is monitoring developments in this case and other data breach class actions that may provide guidance for future litigation.  Our Litigation team has worked on some of the largest data breach and privacy class actions in the country and can help your business develop a litigation strategy that will result in a successful outcome and minimal disruption to your everyday work.  Learn more about our Litigation Practice Group here.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee future outcomes.

Emotet MalwareThe Emotet Attack Gets Attacked

The Emotet Attack Gets Attacked

Having responded to numerous malware and ransomware incidents, it is clear that cyber threats are persistent but not impenetrable.  The thing that pokes holes in company’s IT environments, can itself be vulnerable as a recent incident with Emotet has proven.  This recent occurrence can hopefully provide businesses with assurance that government, like private industry, is working hard to push back on cyber threats.    

What is it? 

Emotet is an extremely well-traveled bit of malware. It has been spread far and wide across the globe and led to countless data incidents via automated phishing emails.  By luring recipients to not only open a spam email, but then download an attachment or click a link, whether it be a fake invoice or COVID-19 vaccine information, Emotet tricked recipients into installing malware on their system that then opens a gateway to the botnet’s system.  And continuously, since 2014, the Emotet botnet runs more phishing campaigns, convinces more individuals to download malware masked as attachments, and opens more gateways to more Windows systems, calling out and then preserving a point of access to an unsuspecting party.  

Why is it dangerous? 

Think of every successful introduction of Emotet malware onto a computer as opening a gateway to that system.  Then think of all the gateways being amassed by the group that controls Emotet.  Now imagine that team saying to a global community of cyber attackers, “Which gateways would you like to purchase access to in order to deploy your ransomware or whatever attack you have in mind?”  The result has been, according to Ukrainian law enforcement, $2.5 billion in damages by resulting attacks.  Popular ransomware variants like Ryuk are known to be paying for that access and contributing to the resulting financial hardship.  So Emotet may not be the illegal drug, but they are the needle delivering it.   

What happened? 

The FBI, Europol, Canada’s Royal Mounted Police, the National Police of Ukraine, the UK’s National Crime Agency and other international law enforcement agencies, with the aid of private researchers, embarked on an expansive raid on Emotet, reportedly two years in the making.  Operation Ladybird, as it was known, sought to take over a command-and-control network of servers in over 90 countries.  The result?  A success.  The Emotet disruption was pulled off by replacing the machines at the center of the botnet’s infrastructure with the computers of law enforcement, allowing law enforcement to negate any further requests from the malware to the botnet and prevent any malicious activity.  The infrastructure that controls the Emotet operation is now under the control of law enforcement and now the botnet responsible for up to 30% of all malware attacks is offline, leaving those who once relied on purchasing access to those gateways for deploying cyber-attacks at a loss for access.   

The Beckage Team has extensive experience counseling clients on data security matters, breach response preparedness, and breach coach services.  We have also worked on headline-making data incidents, including those associated with malware and ransomware strains like Emotet and Ryuk. Our team can be reached anytime via our 24/7 data breach hotline at 844-502-9363 or by emailing IR@beckage.com.   

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

1 2 3