What to Expect on Privacy with a New Democratic Majority at the FTC

FTC Update

It has been just over one year since Lina Khan was confirmed by the Senate and designated Federal Trade Commission (FTC) chair by the president. At the outset of her tenure, she had a Democratic majority, which ended in October 2021 when former Commissioner Rohit Chopra departed the FTC to take over as director of the Consumer Financial Protection Bureau. But in May, the Senate confirmed Alvaro Bedoya as the fifth commissioner in the narrowest of votes, giving back a Democratic majority to Chair Khan.

Since the Democratic majority has re-formed, not much has changed outwardly at the agency; indeed, almost every consumer protection and privacy case voted out in the past few months has been voted out unanimously, though with occasional concurring statements from some commissioners. But it is likely that we will see more partisan activity going forward, akin to what the agency saw when Chair Khan first took over.

Continue Reading

DSIR Deeper Dive into the Data: Ransomware Front and Center

There is no question that ransomware is here to stay. Thirty-seven percent of the matters we handled last year involved ransomware, compared to 27 percent of matters in 2020. In 2019, there were approximately 15 active ransomware threat actor groups. In 2021, we handled matters involving more than 80 different ransomware variants. Government entities and regulators have taken notice, spurred on by media attention to high-profile incidents. Threat actors are evolving, finding additional ways to put pressure on victims to pay. This means that organizations must also evolve to stay ahead of them. This has become even more apparent in recent months, with threat actor groups dissolving, reforming under new names, and even making public statements about current world affairs, including the war in Ukraine. 

Continue Reading

If it’s broke, just fix it…: Curing Alleged CCPA Violations

Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure.

The CCPA, like other, similar California privacy laws, includes an opportunity to cure after notice. Cf. California Consumer Legal Remedies Act, Cal, Civ. Code. § 1770, et seq. (providing a 30-day cure period, but not eliminating a statutory class action by way of the cure).  Specifically, an affected consumer must give a business thirty days’ notice of a CCPA violation prior to initiating any suit for individual or class-wide statutory damages. Importantly, “[I]f within the 30 days the business actuallycures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the CCPA forbids an individual or class-wide statutory damages action against the business. While a consumer may always – without notice – file an action for actual money damages because of alleged CCPA violations. Preventing statutory damages can protect from greater liability. But what does it mean to “actually cure” the violation?

Continue Reading

CPPA Begins CPRA Rulemaking

On May 26, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to provide updates on the Agency’s rulemaking process. The next day, the CPPA released draft regulations for the California Privacy Rights Act (CPRA). This post includes initial impressions of the proposed regulations and how they square with the board’s discussion of the rulemaking process during the May 26 meeting. Our full analysis of the newly released proposed regulations is forthcoming.

Continue Reading

North Carolina is the First State to Prohibit Public Entities from Paying Ransoms: What Does This Mean for North Carolina Public Schools and Universities?

On April 5th, North Carolina became the first state to prohibit state agencies and local governments from paying ransoms after becoming victims of a ransomware attack. Indeed, in addition to prohibiting said entities from paying ransoms, North Carolina’s new law actually goes so far as to prohibit a public entity from even communicating with threat actors in response to a ransomware incident. The law also requires any North Carolina public entity that experiences a ransomware incident to “consult with” the North Carolina Department of Information Technology, in accordance with G.S. 143B‑1379.

Continue Reading

2022 DSIR Deeper Dive: Increased Regulatory Scrutiny of Cybersecurity Incidents

Click the image to download the 2022 DSIR Report.

Our 2022 Data Security Incident Response Report discussed the increased regulatory scrutiny of cybersecurity incidents and defenses following a year of high-profile and damaging cyberattacks, including the Russia-based SolarWinds espionage campaign and the Colonial Pipeline ransomware attack. This article summarizes several U.S. government actions aiming to improve the nation’s cybersecurity and the government’s ability to track and respond to cyber incidents. Organizations subject to these actions will need to evaluate how such actions may apply to them and take necessary measures to comply. Organizations should also note that these actions are just examples of a larger whole-of-government effort to bolster the nation’s cybersecurity and address cyberattacks—organizations should expect and watch for additional cyber regulations that may impact their operations.

Continue Reading

2022 DSIR Deeper Dive: Vendor Incidents

Click the image to download the 2022 DSIR Report.

Vendor-caused incidents continued to surge in 2021. Nearly 20 percent of the total incidents we handled last year were caused by vendors, with more than half requiring notification. As in prior years, vendor incidents involved phishing schemes and inadvertent disclosures but primarily resulted from ransomware attacks on the vendors’ systems. These ransomware attacks often involved the theft of customer data from a vendor’s environment or even spread of the ransomware from the vendor to the customer’s environment by utilizing the vendor’s own credentials.

Working with clients on both the vendor and customer sides of these incidents, we have seen the widespread and lasting effects such incidents have on all parties involved. Many vendors play a critical role in their customers’ operations and pride themselves on their focus and dedication to security. But the troves of sensitive data they maintain and access to multiple customer environments make them high-value targets for threat actors. Threat actors can not only rely on their usual tactics for extorting payments but leverage the added pressure of customers that need their data or the vendor’s services to maintain normal business operations. Even in cases where the incident may not be evident to a vendor’s customers, we have seen threat actors contact customers directly in an attempt to strong-arm the vendor into paying the ransom. The magnitude of vendor incidents often garners increased public attention, which can further complicate a vendor’s decision to pay.  

Continue Reading

Kentucky Joins Nearly 30 States by Enacting an Insurance Data Security Law

Kentucky became the latest state to adopt the NAIC insurance data security model law with Governor Andy Beshear’s signing of House Bill 474. The new law goes into effect Jan. 1, 2023, and gives covered licensees one or two years for implementation, depending on the specific provision. Like many other states, Kentucky enacted the law with some variations to the model law. One notable difference is Kentucky’s reporting requirements for a “cybersecurity event.” Under the new law, a “cybersecurity event” is “an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system.” Here, for an insurer domiciled in Kentucky, notification to the insurance commissioner is required if the cybersecurity event “has a reasonable likelihood of harming any material part of normal operations of the licensee.” Additionally, for an insurance producer whose home state is Kentucky, notice of a cybersecurity event is required without any qualification.

Continue Reading

OCR Announces Four Enforcement Actions

On March 28, 2022, Health and Human Services, Office for Civil Rights (OCR) announced the resolution of four enforcement actions, three resolved in 2021 and one resolved in 2022. There are some interesting aspects of this group of covered entities. Three of the actions pertained to dental practices. One of those dental practices took the rare approach of never responding to OCR’s data request, never acknowledging or responding to OCR’s administrative subpoena, and then did not contest OCR’s findings in the Notice of Proposed Determination. Another dental practice used its patient list to fundraise for an unsuccessful state senate campaign.

Continue Reading

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 3




In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated.  Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired.  In this installment, we address the laws that could be implicated when an educational institution suffers a ransomware attack.

Continue Reading