New Bill Proposes that Americans Should Be Able to Sue Foreign Hackers

Share

The Homeland and Cyber Threat Act (HACT) was introduced in the U.S. House on March 12, 2021. This bill would allow U.S. citizens to sue foreign governments, agents and officials and to collect monetary damages for personal injury, damage or loss of property resulting from a cyberattack with foreign origins.

This bipartisan bill was introduced because cybersecurity activity and cyber incidents continue to rise, leading to increasing concerns of data security. Rep. Bergman, R-MI, a key sponsor of both this bill and a similar bill introduced in 2019, describes HACT as a tool of accountability for foreign states. The other bill sponsors (Reps. Allred, D-TX; Fitzpatrick, R-PA; Herrera Beutler, R-WA; Neguse, D-CO; and Kim, D-NJ) echo this theme of accountability and point to HACT as a way for Americans to “fight back against foreign cyberattacks.”

Continue reading “New Bill Proposes that Americans Should Be Able to Sue Foreign Hackers”

Disruptionware VI: Cyber-Attack against Colonial Pipeline Illustrates Continued Vulnerability of American Energy and Infrastructure Targets

Share

Disruptionware attacks have become increasingly more common over the last few months. Just last month, I wrote about a dangerous disruptionware attack against a Florida Water Treatment Center that could have been a mass casualty event. For more information on these types of attacks, please refer to our posts on different types of disruptionware attacks and how disruptionware attacks work.

Continue reading “Disruptionware VI: Cyber-Attack against Colonial Pipeline Illustrates Continued Vulnerability of American Energy and Infrastructure Targets”

Second Circuit Addresses Critical Issue in Data Breach Class Actions: Article III Standing Based on Allegations of Future Misuse of Personal Data

Share

On April 26, 2021, the Second Circuit Court of Appeals decided the case of McMorris v. Carlos Lopez & Assocs., No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021) and addressed one of the most critical issues in private data breach class actions – whether victims of a data breach can establish Article III standing by alleging they are at an increased risk of identity theft or fraud, even if their personal data has not yet been misused.

Although the district court’s ruling that plaintiffs did not establish standing was upheld, the Second Circuit found that victims of a data breach can establish standing based on a risk of future identity theft or fraud. The court also put forward a three-factor test to determine if standing exists when misuse of plaintiffs’ data has not yet occurred.

Continue reading “Second Circuit Addresses Critical Issue in Data Breach Class Actions: Article III Standing Based on Allegations of Future Misuse of Personal Data”

New York Department of Financial Services Issues Report on SolarWinds Cyberattack

Share

On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.

NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.

Continue reading “New York Department of Financial Services Issues Report on SolarWinds Cyberattack”

TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit

Share

TikTok is facing a potential legal claim in the U.K. brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of millions of children in the U.K. and EEA who have used the social media app. Claimants in the action could be entitled to over $1 billion pounds in damages.

This action follows fines issued by the U.S. Federal Trade Commission in 2019 and the Korea Communications Commission in South Korea in 2020 for mishandling children’s data. TikTok has also previously been investigated by the U.K.’s Information Commissioner’s Office, which ordered TikTok in 2019 to delete data associated with a linked app and set up an age verification system for that function.

Continue reading “TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit”

New York Department of Financial Services and National Securities Corporation Agree to $3 Million Settlement in Cybersecurity Enforcement Action

Share

Earlier this month, the New York State Department of Financial Services (NYDFS) announced a settlement and consent order with National Securities Corporation (National Securities) for $3 million in connection with National Securities’ violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500).

National Securities sells life insurance, accident and health insurance, and variable life/variable annuities insurance. As part of its day-to-day operations, National Securities collects personal data from its customers.

Continue reading “New York Department of Financial Services and National Securities Corporation Agree to $3 Million Settlement in Cybersecurity Enforcement Action”