On December 6, 2021, in the Memorandum for the Heads of Executive Departments and Agencies, the Office of Management and Budget took a more aggressive position on strengthening the nation’s cybersecurity posture. Under this memorandum, federal agencies are now mandated to report “major” cyberattacks within one hour of discovery to the Cybersecurity and Infrastructure Security Agency (CISA) and to the Office of Management and Budget (OMB). It also directed that affected agencies update reports within one hour of determining that an already-reported incident is determined to be “major.”
Following up on a mandatory 2019 request for information issued by the Federal Trade Commission (FTC) to the largest Internet Service Providers (ISPs) in the United States, the FTC staff in late October issued a Report titled – A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers. Among the agency staff’s general findings on ISP data collection and use practices, the most striking perhaps is the apparent degree of integration among ISPs and advertisers with respect to their data collection and use practices. The report also highlights the tools ISPs offer to customers to either manage or control many types of ISP data collection and use.
The information presented in the Report is aggregated and de-identified and has been supplemented with information gathered from follow-up FTC staff questions and meetings with the ISPs that were the subjects of the FTC information request. The Report’s summary of information on real-world ISP data practices could prove useful as Congress wrestles with the potential for federal privacy legislation and states review the need for legislation.
In October, the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published new guidance for the virtual currency industry focusing on compliance with the financial industry’s obligations related to U.S. economic sanctions.
OFAC administers and enforces economic sanctions against targeted and/or sanctioned foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals.
As noted in the new guidance, virtual currencies now playing an increasingly prominent role in the global economy. The growing relevance of virtual currency, both as an investment and as a payment method, brings greater exposure to sanctions risks. Specifically, there is an increased risk that a sanctioned entity or an entity in a jurisdiction subject to sanctions might use virtual currency as an alternative to fiat currency in an effort to avoid U.S. sanctions. As such, the OFAC guidance specifically targets technology companies, virtual currency exchanges, virtual currency administrators, virtual miners, digital currency wallet providers, and users.
When it comes to cryptocurrency, questions abound: What can you purchase with crypto? How can you buy it? Is crypto a passing fad or an innovation that will stand the test of time? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with Faegre Drinker’s Jeffrey Blumberg and former Orange County District Attorney Rahul Gupta, a cybercrime prosecutor with experience in cryptocurrency criminal litigation, to talk all things cryptocurrency.
On November 8, 2021, New York Governor Kathy Hochul signed new workplace privacy legislation (A.430/S.2628) into law. Beginning in May 2022, private employers with a “place of business” in the state of New York will have to inform their employees if the employer “monitors or otherwise intercepts” telephone conversations, e-mail, or internet access or usage “of or by an employee by any electronic device or system.” This legislation does not apply to state or local government employers.
Ransomware incidents continue to be on the rise, wreaking havoc for organizations globally. Ransomware attacks target an organization’s data or infrastructure, and, in exchange for releasing the captured data or infrastructure, the attacker demands a ransom. This creates a dilemma for organizations — the decision to pay the ransom, relying on the attacker to release the data as they say, or to reject the ransom demand and try to restore the data or operations on their own.