Disruptionware attacks have become increasingly more common over the last few months. Just last month, I wrote about a dangerous disruptionware attack against a Florida Water Treatment Center that could have been a mass casualty event. For more information on these types of attacks, please refer to our posts on different types of disruptionware attacks and how disruptionware attacks work.
On April 26, 2021, the Second Circuit Court of Appeals decided the case of McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.
Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.
On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.
NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.
TikTok is facing a potential legal claim in the U.K. brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of millions of children in the U.K. and EEA who have used the social media app. Claimants in the action could be entitled to over $1 billion pounds in damages.
This action follows fines issued by the U.S. Federal Trade Commission in 2019 and the Korea Communications Commission in South Korea in 2020 for mishandling children’s data. TikTok has also previously been investigated by the U.K.’s Information Commissioner’s Office, which ordered TikTok in 2019 to delete data associated with a linked app and set up an age verification system for that function.
Earlier this month, the New York State Department of Financial Services (NYDFS) announced a settlement and consent order with National Securities Corporation (National Securities) for $3 million in connection with National Securities’ violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500).
National Securities sells life insurance, accident and health insurance, and variable life/variable annuities insurance. As part of its day-to-day operations, National Securities collects personal data from its customers.
Due diligence is at the heart of negotiating and finalizing any major deal, and parties’ cybersecurity practices have become a focal point in the M&A due diligence process. In the latest episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss and guests Paul Luehr and Dori Cain discuss the importance of cybersecurity due diligence in the mergers and acquisitions field, what criteria professionals evaluate in this process, and how “cybersecurity hygiene” can impact the deal-making process. The podcast covers a number of questions, including:
- What does the cybersecurity due diligence aspect of a merger or acquisition look like? Why is “cyber diligence” so important in the deal-making process?
- What insights or hard facts are cybersecurity professionals looking for when evaluating cybersecurity at the outset of the mergers and acquisition process? What “cyber hygiene” criteria should be assessed at every step of deal negotiations? Are there any common deal-breakers in this process?