US hospitals and healthcare systems should be on high alert after a rare joint advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) warning all US hospitals and healthcare providers of an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The joint advisory can be found here. Access the article.
On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory alert that serves as a warning to entities who have been or will be the victim of a ransomware attack. As such, the crucial decision of whether to pay a ransom now comes with the additional risk of legal scrutiny by a powerful federal agency and the possibility of steep fines. Access the article.
Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights. The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers. Access the article.
On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber's former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence. At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber's response was to attempt to recast the breach as a legitimate event under Uber's "bug bounty" program and pay a bounty. An affidavit submitted with the complaint portrays a...
On July 21, 2020, the New York Department of Financial Services (NYDFS) announced that it had filed its first enforcement action under 23 NYCRR 500 (the "Cybersecurity Regulation") against a large title insurance provider. Covered entities should closely monitor this enforcement action. Access the article.