2020Looking Back on 2020’s Top Privacy and Cybersecurity Trends

Looking Back on 2020’s Top Privacy and Cybersecurity Trends

As 2020 comes to a close, Beckage looks back on the ways this difficult and unprecedented year impacted the data privacy and cybersecurity landscape both domestically and across the globe.

Enhanced Privacy Challenges and Concerns Due to Covid-19

In response to the COVID-19 pandemic, businesses around the globe made a major pivot to online or virtual operations early this year. An intentional focus on data protection and a solid understanding of the regulatory landscape is a legal requirement that demands the integration of data protection up front in any network design or business practice. The increase in exposure of company assets made it necessary to implement a variety of technical safeguards. Companies still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA) while dealing with new privacy challenges caused by a distributed workforce and a global health pandemic. Beckage reminds organizations of the importance of revisiting their readiness through business continuity, incident response, and more expansive administrative, technical, and physical safeguards when shifting to a work-from-home model and recommends continued assessment of your company’s privacy pitfalls in this ever-shifting legal landscape.

Increased Ransomware and Cyberattacks

With rapid changes in organizational operations caused by the COVID-19 pandemic, attackers became more sophisticated in their strategies and unleashed several unrelenting, simultaneous attacks on service providers and the organizations they serve in 2020. Victims of recent cyber attacks, such as the SolarWinds campaign carried out in December, include government agencies, healthcare providers, consulting agencies, and , technology, telecom, and oil and gas companies. In many of these campaigns, attackers were able to gain access and move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources while remaining largely undetected. In response to the uptick in data incidents this year, the Beckage Incident Response Team recommends organizations implement several preventative steps to safeguard their organization to help minimize legal risk.

Patient Access Rights and Interoperability

Recent developments in 2020 concerning patients’ right to access health information to implement interoperability and record access requirements intend to help patients obtain access to health records and payment data to make informed decisions about their healthcare. The CMS Proposed Rule and the OCR Proposed Rule represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with healthcare compliance. The experienced Health Law Team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations.

Increased International Focus on Consumer Privacy

On the heels of EU’s General Data Protection Regulation (GDPR), many countries followed suit by establishing legal frameworks for governing how organizations collect, use, and store their citizens’ personal data. One example is Brazil’s Lei Geral de Proteção de Dados (LGPD), which went into effect in August of 2020. This general data protection law, which closely mimics the GDPR, places strict requirements on organizations that process Brazilian citizen’s personal data.

At the same time, Europe continued to elevate its enforcement of the GDPR, with major decisions from various member state Data Protection Authorities, the European Court of Justice (ECJ), and the European Data Protection Board (EDBP). The most impactful for businesses across the globe was the ECJ’s decision in Schrems II, which invalidated the EU-US Privacy Shield and called into question the long-term viability of the Standard Contractual Clauses (SCCs) to transfer data from the EU to the US. In 2021, companies should closely monitor the evolving guidance on international data transfers and be prepared to mitigate risk of global data transfers.

Beckage’s Global Data Privacy Team expects continued adoption of data protection regulations across many regions, and an emphasis on creating global security and privacy compliance programs in the year ahead.

Uptick in ADA Litigation

This past year, the Beckage Accessibility Team has witnessed a drastic increase in litigation under Title III of the Americans with Disabilities Act. On average, about eight new lawsuits are filed a day by disabled individuals alleging unequal access to goods and services provided on a company’s digital platforms. While the Department of Justice (DOJ) has consistently held that the ADA applies to websites and mobile apps, they have failed to clarify the precise requirements for a business to be deemed compliant. This has prompted a wave of litigation by plaintiffs’ who claim a website or mobile app’s incompatibility with assistive technology, like screen-reading software, has denied them full access to and equal enjoyment of the goods, services, and accommodations of the website, therefore violating the ADA. Most of these lawsuits are settled quickly out of court to avoid litigating in such uncertain legal terrain.

Beckage handles the defense of website accessibility lawsuits as well as assists companies in navigate pre and post-suit settlement agreements for this unique area of the law.  Beckage also works with clients under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility and oversee implementation of recommended remedial or accessibility-enhancement measures.

California Consumer Protection Act (CCPA)  

Enforcement of California’s comprehensive California Consumer Privacy Act (CCPA) began on July 1, 2020 and has brought a range of plaintiff related lawsuits under its private right of action provision expanding California breach laws. For a data breach to be actionable, the information accessed must be identified as personal information, as narrowly defined by California’s data breach notification law. Recently, in November 2020, the Consumer Right To Privacy Act (CRPA) ballot initiative was passed, creating additional privacy rights and obligations pertaining to sensitive personal information that will go into effect. CPRA also expands data breach liability created by the CCPA, adds a private right of action for unauthorized access that permits access to an account if the business failed to maintain reasonable security, and imposes data protection obligations directly on service providers, contractors, and third parties. Beckage urges businesses who operate in or serve California citizens to continue to follow CCPA developments and carefully monitor related litigation in the coming months.

Emerging Technologies

The recent expansion of the Illinois Biometric Information Privacy Act (BIPA) has resulted in numerous class actions suits against organizations alleged to have collected plaintiffs’ biometric data. With the expanding use of biometric equipment, these claims often allege defendants obtained plaintiffs’ biometric data without complying with the BIPA’s notification and consent requirements. Upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.

Similarly, computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions. The advancements of deep fakes are giving rise to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress. Sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm. As former tech business owners, Beckage lawyers want to drive innovation with use of these new and emerging technologies while understanding standards and laws that may impact such development. Beckage recommends that companies proactively mitigate the risks associated with collecting biometric information and deep fakes to prevent legal repercussions and defamation. 

Key Takeaways

2020 proved to be an unpredictable year in more ways than one. The COVID-19 pandemic forced companies to rapidly adapt to new privacy and data security challenges caused by a distributed workforce, emerging technologies, and an increased focus on ecommerce with in-person shopping and events. As we move towards 2021 with no definitive end to the pandemic in sight, it is crucial for companies to prioritize data privacy and cybersecurity initiatives by consulting qualified legal tech experts who can help navigate the uncertainty next year will bring. Beckage attorneys can assist in creating, implementing, and evaluating robust data security and privacy infrastructures that will help put your business in a position to tackle all the challenges 2021 has in store.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

CozyBear BreachOngoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Beckage’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Beckage recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Beckage’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.

RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.