North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?

On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat actors in response to a ransomware incident. The law also requires any North Carolina public entity that experiences a ransomware incident to “consult with” the North Carolina Department of Information Technology, in accordance with G.S. 143B‑1379.

Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Click the image to download the 2022 DSIR Report.

Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to track and respond to cyber incidents. Organizations subject to these actions will need to evaluate how such actions may apply to them and take necessary measures to comply. Organizations should also note that these actions are just examples of a larger whole-of-government effort to bolster the nation’s cybersecurity and address cyberattacks—organizations should expect and watch for additional cyber regulations that may impact their operations.

Continue Reading

2022 DSIR Deeper Dive: Vendor Incidents

Click the image to download the 2022 DSIR Report.

Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved the theft of customer data from a vendor’s environment or even spread of the ransomware from the vendor to the customer’s environment by utilizing the vendor’s own credentials.

Working with clients on both the vendor and customer sides of these incidents, we have seen the widespread and lasting effects such incidents have on all parties involved. Many vendors play a critical role in their customers’ operations and pride themselves on their focus and dedication to security. But the troves of sensitive data they maintain and access to multiple customer environments make them high-value targets for threat actors. Threat actors can not only rely on their usual tactics for extorting payments but leverage the added pressure of customers that need their data or the vendor’s services to maintain normal business operations. Even in cases where the incident may not be evident to a vendor’s customers, we have seen threat actors contact customers directly in an attempt to strong-arm the vendor into paying the ransom. The magnitude of vendor incidents often garners increased public attention, which can further complicate a vendor’s decision to pay.  

Continue Reading

Kentucky Joins Nearly 30 States by Enacting an Insurance Data Security Law

Kentucky became the latest state to adopt the NAIC insurance data security model law with Governor Andy Beshear’s signing of House Bill 474. The new law goes into effect Jan. 1, 2023, and gives covered licensees one or two years for implementation, depending on the specific provision. Like many other states, Kentucky enacted the law with some variations to the model law. One notable difference is Kentucky’s reporting requirements for a “cybersecurity event.” Under the new law, a “cybersecurity event” is “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system.” Here, for an insurer domiciled in Kentucky, notification to the insurance commissioner is required if the cybersecurity event “has a reasonable likelihood of harming any material part of normal operations of the licensee.” Additionally, for an insurance producer whose home state is Kentucky, notice of a cybersecurity event is required without any qualification.

Continue Reading

OCR Announces Four Enforcement Actions

On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities. Three of the actions pertained to dental practices. One of those dental practices took the rare approach of never responding to OCR’s data request, never acknowledging or responding to OCR’s administrative subpoena, and then did not contest OCR’s findings in the Notice of Proposed Determination. Another dental practice used its patient list to fundraise for an unsuccessful state senate campaign.

Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 3




In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated.  Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired.  In this installment, we address the laws that could be implicated when an educational institution suffers a ransomware attack.

Continue Reading

Forensics Deep Dive: The Importance of Proper Configuration and Monitoring

Click the image to download the 2022 DSIR Report.

Many of the trends we observed in 2020 continued in 2021. Network intrusions and ransomware continued in full force, representing more than half the incidents we handled last year. Threat actors continued their tried-and-true tactics of encrypting devices and exfiltrating data to extort payments, and also tried new approaches or variations on old ones, like resorting to distributed denial-of-service attacks, contacting company employees to threaten them if ransoms weren’t paid, or looking for new targets in company networks, such as Linux-based systems. And threat actors are also leveraging the data stolen during ransomware incidents for other purposes, like business email compromise and wire transfer fraud.

Continue Reading

Welcome to our 8th Annual Data Security Incident Response (DSIR) Report. What a year it has been!

Click the image to download the 2022 DSIR Report.

2021 did not turn out the way many of us had hoped. Best-laid plans to “return to normal” were postponed numerous times due to multiple waves of COVID-19 outbreaks and new variants. The steady frequency of ransomware attacks in 2020 continued into 2021, highlighting the serious ongoing threat cyberattacks pose. The most frequent client requests this year included assistance with the ransom “pay-no pay” decision tree, OFAC compliance, and ransomware playbooks. The war in Ukraine and the responsive government sanctions have already increased interest in these topics, and we expect that to continue through 2022.

Continue Reading

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Four

Part I: What Are Third-Party Cookies and Why They Are Important

Part II: Privacy Laws and Third-Party Cookies

Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile

Part IV: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – First-Party Data



Welcome to the fourth installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into third-party cookies for a baseline understanding of the technology and the oversized impact of their phase-out on the adtech ecosystem. Our second post surveyed the current privacy legal landscape regulating the use of third-party cookies to collect, track, and share personal information. And in our third post, we discussed big tech’s – and, in particular, Google’s and Apple’s – role in ushering the phase-out of the third-party cookie and the potential post-cookie alternatives being developed by these two tech giants. In this post, we discuss the importance of first-party data and the related technology that is developing as the deprecation of the third-party cookie approaches, highlighting the ways in which publishers, brands, and platforms can partner to leverage the value of first-party data.

As discussed in our last post, Google and Apple are currently testing alternative identifier solutions that provide brands transparent access to users on the Chrome browser and the Apple iOS. As the phase-out of third-party cookies converges with an increase in privacy-related enforcement actions in the U.S. and Europe, as discussed in our second post, there is a renewed focus on first-party data and how it can be leveraged to provide advertisers with direct access to consumers. First-party data is data collected directly from audiences composed of customers, web visitors, and social media followers, presenting an opportunity for publishers and platforms to put trust and transparency at the forefront of their consumer relationships. However, relying on first-party data has left advertisers unsatisfied with campaign targeting and measurement, and as a result, players across the adtech ecosystem are partnering to reach addressable audiences at scale.

First-Party Data

First-party data is data collected by companies directly from the consumer’s activities and browsing history, including information like intent to purchase, browsing behavior, transaction history, and loyalty and rewards programs, among other things. Certain players, such as trusted brands with extensive customer engagement and social media platforms, for years have had a head start on collecting, collating, and organizing first-party data. Premium publishers also hold an advantage with their robust (sometimes consent-based) combinations of first-party data with contextual advertising strategies. There is also the related concept of “zero party” data, explicitly provided by the consumer to a brand. Zero-party data is arguably more reliable and accurate than first-party data, as it is actively and willingly shared by users.

Many tout first-party data as the key to the post-cookie world, but it cannot be relied on as the sole replacement for third-party cookies. While the leveraging of first-party data is a key component of campaign success and greater personalization, it is not a media targeting cure-all. First-party data may address consumer privacy concerns, but it lacks the granularity of measurement, reach, and scale that third-party cookies made possible. Businesses investing in first-party data may use it instead to strengthen consumer relationships, innovate user experience design, and even improve customer acquisition or retention. What is clear about the post-cookie world is that it will focus on transparent and authentic digital relationships between brands and consumers, which first-party data can help facilitate.

The Tools of First-Party Data

Brands, publishers, and platforms collect first-party data by building direct relationships with users, and the nature of those relationships and the technologies used differ depending on the specific value exchange with the customer. To ensure that users do not export data traveling to and from their sites, publishers may operate within a walled garden, a closed ecosystem in which first-party user data is shared directly with the publisher. Examples of walled gardens include the Apple App Store or Google Play Store, social media sites like Twitter, and collaboration platforms like Slack. Supplementing the walled garden approach is the rise of data clean rooms, which are encrypted, secure locations where first-party data, anonymized of any personally identifiable information (PII), can be stored and analyzed. This tool can help businesses comply with regulations such as state privacy laws in California and more recently Colorado and Virginia, and the General Data Protection Regulation (GDPR) in Europe, which govern the collection, storage, and use of PII.

Not only are publishers evaluating the existing technological framework of first-party data targeting, but they are also doing more to build trust with users. Similar to Apple’s App Transparency Tracking, discussed in our last post, publishers and brands are increasingly testing direct communication with consumers to comply with privacy regulations, personalizing a user’s browsing experience, and optimizing contextual targeting for advertisers. Similarly, zero-party data is the latest tool in the hands of publishers looking to strengthen their relationships with users, as it provides insight into consumer preferences while providing seamless and well-tailored browsing experiences to users through personalization. Google has also created its own publisher-provided IDs which it assigns to authenticated users to better track these consumers across a publisher’s online properties or devices. We will be discussing alternative identifiers in our next blog post, so more on that later.

At the center of all first-party data strategies are transactions in which companies provide products or services that in turn give them direct access to consumers. In the past decade, the media industry has launched a variety of streaming services and platforms to cater to the explosion of demand for online content. These historically “cookieless” relationships established by connected TV providers (such as Roku and Google Chromecast) and streaming platforms (like Netflix, Hulu, and Spotify) provide a wealth of first-party data that now can be leveraged in the post-cookie ecosystem. As evidenced by the flurry of investments in cross-platform measurement explained below, these companies plan to leverage their data at a premium across all devices to minimize duplicated reach and provide more meaningful ad experiences to subscribers.

Key first-party data strategies for publishers and platforms not only provide cross-platform insights to advertisers but also build stronger relationships by obtaining consent. The GDPR requires a legal basis (one of which is consent) to gather any data, while adult consumers under California, Colorado and Virginia state laws have the right to opt out of data collection. As the adtech industry embraces targeting through first-party data, companies must be mindful of these consent requirements when upgrading their user experiences. Asking for consent from all consumers, from California to Croatia, can simplify the process for publishers and platforms, but it may also limit the addressable audience pool. Companies can utilize consent management platforms to gather and organize consumer consent for various use cases to achieve user experience personalization, whether it’s built in-house or through a third-party vendor. Having a clear strategy on consent will help ensure customer preferences as well as compliance with the global patchwork of data privacy regulations.

Embracing New Partnerships

For publishers, brands, and platforms alike, the loss of third-party cookies means finding new ways to target users and measure campaign performance without tracking consumers across multiple sites. Emerging priorities of consent and transparency in the adtech industry and beyond also mean that those organizations with strong consumer relationships have troves of existing first-party data to leverage in the post-cookie world. For brands to stay afloat in these shifting tides, advertisers and platforms in the ecosystem should consider building relationships and possible partnerships with publishers or other data holders to promote maximum scale and efficiency of their ad campaigns relying on first-party data. Examples of the new potential partnerships in the fast-growing, post-cookie adtech space include:

  • Platform deals: In what a Yahoo executive dubbed a “community garden” as opposed to a walled garden, deals between publishers, brands, and supply-side platforms can grow addressable audiences and generate more ad revenue in the process. Last fall,  BuzzFeed announced the next phase of their strategic partnership with social media ad platforms to provide brands preferred access to BuzzFeed’s family of sites. The Local Media Consortium, a strategic partnership between local newspaper publishers and broadcasters, developed a single sign-on technology, NewsPassID, which seeks to aggregate user subscriptions to achieve more attractive scale for advertisers.
  • Measurement deals: Publishers with copious amounts of first-party data can turn to data measurement vendors to gain insight into their own users. Brands and media agencies can use innovative measurement tools to target viewers efficiently across linear TV, connected TV, and digital devices as they test cross-platform measurement to maximize incremental reach. For instance, last year, Roku acquired Nielsen’s Advanced Video Advertising business and recently launched an end-to-end dynamic ad insertion solution providing granular targeting by age and gender demographic.
  • Clorox began investing in first-party data across brand websites and loyalty programs, implementing an in-house data management system that focuses more on ingesting and processing data from its own programs and properties rather than from third parties. In 2020, the New York Times rolled out its first-party data platform, Pivotal, for research and consumer insights. Earlier this year, NBCUniversal announced its own first-party data platform, NBCUnified, allowing brands direct access to consumers through the media giant’s cross-platform offerings. Each of these initiatives set out to increase relevance of ad targeting using existing first-party data, gleaned from consumer relationships such as loyalty programs and subscriptions.

No matter how these current or future initiatives take shape, the industry will require cooperation from all players – publishers, brands, and adtech vendors – to move toward innovative and compliant first-party data solutions. Those developing or reformulating their first-party data strategy should develop detailed inventories of relevant first-party data, a thorough understanding of any gaps in its addressable audience, and a knowledge of how data flows through their organization’s online presence. If considering partnering with other companies, companies should also be mindful of exactly how consumer data is shared in order to ensure privacy law compliance, particularly where PII is involved. Stay tuned for the next blog post, where we will be discussing the various alternative identifiers emerging in the post-cookie landscape. Publishers and platforms are beginning to deploy their own advertising strategies, and a flurry of alternative identifiers have entered the market and are currently being tested. The identifiers that are eventually widely adopted will shape the future of the adtech industry, as advertisers currently struggle to reach consensus on how to best replace the third-party cookie. Our next post will provide a survey of these tools and a summary of the emerging alternative identifier landscape.

Part 2 of BakerHostetler’s Countdown to CPRA – Top 5 FAQs to Evaluate Compliance Strategy for Employees

In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) currently only applies to employment data in a limited fashion. While we continue to await final regulations from the California Privacy Protection Agency, which we have learned may be delayed until the third or fourth quarter of 2022, we continue to assess and provide guidance on key areas of focus for businesses to consider when developing a business strategy for CPRA compliance for B2E.

Continue Reading