The California Office of the Attorney General, under the leadership of new Attorney General Rob Bonta, has taken significant actions in recent weeks indicating that it is ramping up and potentially adding a new area of focus in its enforcement of the California Consumer Privacy Act. Read on for some important considerations for businesses.
Continue reading “A New Sheriff in Town: Enforcement of the CCPA Picks Up Under Bonta”
On July 2, 2021, Kaseya Ltd., a Florida-based firm that provides software tools to thousands of primarily small and mid-sized businesses, became the latest victim of a high-profile ransomware attack. The attack is believed to have affected as many as 1,500 of Kaseya’s customers throughout the world, including at least 200 businesses in the United States. The attackers, who have claimed association with the Russia-linked REvil ransomware gang, have demanded an astronomical $70 million ransom to restore services for affected businesses.
The Kaseya attack was particularly devastating and effective because it was a supply chain attack, meaning it targeted a type of software that many other companies use to manage and distribute software updates. Thus, the attack not only affected Kaseya, but also potentially all of its customers.
Continue reading “Kaseya: The Latest High-Profile Ransomware Attack”
With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.
There have been a rash of high-profile cyberattacks in the United States recently. Some of the more visible public attacks include SolarWinds, the Microsoft Exchange attack, Accellion, the Florida Water Treatment Plant and, more recently, the devastating cyber-attacks against Colonial Pipeline. These attacks, while disruptive, also yielded high-dollar payments to the cyber-threat actors.
ERISA-covered plans hold just under $10 trillion in assets and these plans are particularly enticing for cyber-threat actors. Although the Colonial Pipeline cyberattacks was executed by a coordinated hacking group, cyberattacks on ERISA-covered plans have historically been less complex. A typical scenario involves a retired employee’s ERISA account being accessed by an imposter, who then steals the account balance.
Continue reading “U.S. Department of Labor Issues Cybersecurity Guidance for ERISA-Covered Plans”
New York partners Pete Baldwin and Bob Mancuso authored an article for the New York Law Journal titled, “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks,” that discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.
