With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.
U.S. Department of Labor Issues Cybersecurity Guidance for ERISA-Covered Plans
There have been a rash of high-profile cyberattacks in the United States recently. Some of the more visible public attacks include SolarWinds, the Microsoft Exchange attack, Accellion, the Florida Water Treatment Plant and, more recently, the devastating cyber-attacks against Colonial Pipeline. These attacks, while disruptive, also yielded high-dollar payments to the cyber-threat actors.
ERISA-covered plans hold just under $10 trillion in assets and these plans are particularly enticing for cyber-threat actors. Although the Colonial Pipeline cyberattacks was executed by a coordinated hacking group, cyberattacks on ERISA-covered plans have historically been less complex. A typical scenario involves a retired employee’s ERISA account being accessed by an imposter, who then steals the account balance.
Continue reading “U.S. Department of Labor Issues Cybersecurity Guidance for ERISA-Covered Plans”
Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks
New York partners Pete Baldwin and Bob Mancuso authored an article for the New York Law Journal titled, “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks,” that discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
SEC ‘Sweep’ of Public Companies’ & Registrants’ Responses to the SolarWinds Cyberbreach
As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.
Department of Homeland Security Announces New Cybersecurity Requirements for Pipelines
The Department of Homeland Security (DHS) recently announced a new Security Directive requiring companies in the pipeline sector “to better identify, protect against, and respond to” cyber threats. Among other things, the Security Directive requires pipeline operators to report cyberattacks against their pipelines to DHS. This new requirement replaces the voluntary reporting guidelines that had been in place since 2010.
The new Security Directive is a response to the May 2021 ransomware attack on Colonial Pipeline that shut down much of the oil and gas distribution to the East Coast of the United States for approximately six days. According to various media reports, Colonial Pipeline ultimately elected to pay a Russian ransomware gang that claimed responsibility for the attack over four million dollars to re-open the crippled pipeline.
Faegre Drinker on Law and Technology Podcast: Computer Forensics
Computer Forensics: What is it? How is it Used in Civil and Criminal Incident Response Work? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss talks with Supervisory Special Agent Steve Crist of the FBI and former Orange County DA Investigator Dave White about the importance of using computer forensics in private sector and government cyber and incident response investigations. They explore the differences between computer forensics and traditional “wet” forensics; how computer forensics has grown to play a significant role in civil investigative and legal matters; the importance of digital evidence in criminal cases; and how a digital investigator works their way through a case.
Continue reading “Faegre Drinker on Law and Technology Podcast: Computer Forensics”