It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 2


The best way to ensure that an educational institution can respond quickly and effectively to a ransomware attack and minimize any chaos and confusion that accompanies such incidents is to have an incident response plan in place to outline the procedures to be followed after ransomware has been detected.  In this posting, we discuss two threshold questions that educational institutions should address in their ransomware incident response plans:

(1) Who is responsible for making key decisions?

(2) What action items need to be addressed in the first 24 hours after discovery of the ransomware incident? 

Continue Reading

Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework.

Included in SACA is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), which will create new reporting obligations with very short deadlines for businesses and government entities that operate in certain critical infrastructure sectors, as defined by the Cybersecurity and Infrastructure Security Agency (CISA). The critical infrastructure sectors identified by CISA encompass industries ranging from energy to healthcare. The Act assigns the director of CISA 24 months to publish a notice of proposed rulemaking and permits an additional 18 months after publication of the proposed rule before a final rule must be issued.

Continue Reading

Impact of the Ukraine/Russia Conflict on Cybersecurity in the United States

On Feb. 24, 2022, Russia launched a large-scale military incursion into Ukraine. By all accounts, the Russian offensive attacked on multiple fronts, including against Ukraine’s network computers and communication systems. The cyberattacks began before the first tank crossed the border, with Ukrainian networks subjected to multiple targeted attacks involving hacking, distributed denials of service and the introduction of malware that specifically targeted Ukrainian systems and wiped data.

This isn’t the first time Russia has engaged in this type of cyberwarfare, nor is it likely to be the last. Many will remember the widespread power outages in 2015, when Russian hackers breached the Ukrainian power grid, or the 2017 NotPetya malware, which was intended to target Ukraine’s networks but quickly spread out of control, causing billions of dollars in damage around the globe.

Continue Reading

International Data Protection Update

This Update highlights some of the international data protection issues that caught our attention and the attention of our clients over the winter, including updates on European data transfers and cookie compliance, regulatory enforcement actions, and data protection laws in Canada, China, India and Saudi Arabia.

Russia’s Attack on Ukraine

Government cybersecurity agencies worldwide are urging all organizations to bolster online defenses, adopt enhanced cybersecurity postures and be prepared to respond to disruptive cyber activities. At this time, no specific and credible cyberthreats are being reported in the United States, but destructive malware, ransomware and targeting of network infrastructure devices have been reported in Ukraine. Building on increased fear of cyberattacks in the United States, the Senate rushed through new legislation to strengthen the federal government’s defenses and to mandate incident reporting by certain entities in U.S. critical infrastructure. BakerHostetler’s Digital Risk Advisory and Cybersecurity team is actively advising clients on emerging threats and associated government action related to the war in Ukraine.

Shruti Bhutani Arora, Whitney Schneider-White and Justin Yedor also contributed to the drafting of this Update.

Read more.

A Road Map for CPRA Compliance

For companies preparing to comply with the California Privacy Rights Act (CPRA), operative on Jan. 1, 2023, this Road Map summarizes the provisions of the California Consumer Privacy Act (CCPA), which the CPRA amends, and the new requirements under the CPRA. It also includes a checklist of practical compliance actions.

Read the Road Map.

It’s Elementary: Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks: Part 1


The ransomware epidemic has affected and continues to affect all industries, including healthcare, manufacturing and finance. Since 2020, however, the education industry has been targeted as much as or more than any other sector. Indeed, approximately 23 percent of the 1,250+ data security incidents that BakerHostetler helped clients manage over the past year involved educational institutions – the highest percentage of any business sector.    

It should not come as a surprise that cyber criminals are targeting educational institutions. First, educational institutions – especially colleges and universities – generally maintain a treasure trove of personal information about students and employees, as well as sensitive research data that they might be willing to pay threat actors not to post on the dark web. Moreover, educational institutions operate on strict timelines and can often ill afford to cancel classes for days or weeks at a time. As such, when faced with the choice of paying a ransom or risking being unable to hold classes or process student/applicant/donor information for several days or weeks, educational institutions often choose the path of least resistance and pay the ransom. In fact, a recent report issued by Sophos, The State of Ransomware in Education 2021, found that the education sector has the third-highest rate of ransom payment (35 percent), behind energy, oil/gas and utilities (43 percent) and local governments (42 percent). Last, and perhaps most significant, educational institutions often utilize numerous public-facing systems, have large numbers of users who access their networks, and do not have robust cybersecurity defenses in place, thus making them easier targets than entities in many other sectors. There are several measures that educational institutions (or any entity, for that matter) can and should take to protect themselves against cyberattacks. Among other things, they should: (a) implement multifactor authentication for all users; (b) implement password complexity/rotation requirements; (c) regularly patch software and systems; (d) provide regular and frequent cybersecurity training to employees; (e) utilize enhanced endpoint threat protection and detection solutions; and (f) maintain air-gapped backups of critical systems. Although these proactive measures can significantly reduce the likelihood that an entity will be victimized by a cyberattack, it is impossible for an entity to completely immunize itself from such an incident. Educational institutions are well served to accept the cliché that it is not a question of if they will experience a ransomware attack, but rather when. Recognizing that it is only a matter of time before they are faced with a ransomware incident, it is vital that educational institutions develop comprehensive incident response plans. In this series, we address several issues related to the incident response process that educational institutions should consider in advance of a ransomware incident and address in their incident response plans.

CPRA Rulemaking Explained and CPRA Amendments Push Forward, Including Employee and Business-to-Business Exemptions

On Feb. 18, Chairperson Jennifer Urban of the California Privacy Protection Agency (CPPA) addressed the California state bar and clarified the announcements that were made during the CPPA board meeting on Feb. 17. Read on for an explanation of the California Privacy Rights Act (CPRA) rulemaking process and brief summaries of the privacy bills in California, including proposed amendments to the CPRA that were filed last week to extend the employee and business-to-business exemptions.

CPRA Rulemaking

During a kickoff of the CPRA Law + Tech Series: Understanding Data, Decisionmaking, and Design, co-hosted by the California Lawyers Association Privacy Law Section and the Future of Privacy Forum, Urban explained that the CPPA is pressing forward with its mandate but is subject to certain statutory limitations. For example, under the Bagley-Keene Open Meeting Act, all CPPA board deliberations must be held in public meetings, reflecting the California State Legislature’s emphasis on transparency that may come at the expense of efficiency. Still, CPPA subcommittees comprised of two board members, short of the three-member threshold to establish a quorum, may perform substantive work and then present in public meetings recommendations to the board.

Continue Reading

Katherine Lowry Named An “Artificial Intelligence Visionary” By Legal Tech Leader

Congratulations to Katherine Lowry for being named an AI Visionary by Relativity, a recognition given to those whose foresight and leadership in advancing the use of AI are propelling their organizations forward.

Read the full press release here.

Continue Reading

CPRA Regulations Postponed

On Feb. 17, 2022, the California Privacy Protection Agency (CPPA or the Agency) held a public board meeting to address several topics, including the rulemaking under the California Privacy Rights Act (CPRA). Although the CPRA includes a July 1 deadline for the Agency to promulgate final regulations, it is clear the CPPA will not meet that deadline given the delays it continues to face in hiring staff and beginning operations. In the words of CPPA Executive Director Ashkan Soltani, “[W]e’re building the car while we drive it.”

Director Soltani estimated that the CPPA will publish final regulations in the third or fourth quarter of 2022, giving businesses little time to implement compliance with the regulations ahead of the CPRA’s Jan. 1, 2023 operative date. By statute, formal rulemaking will begin in April, six months after the CPPA’s Oct. 21, 2021 notice to the California Attorney General (OAG) that the Agency is ready to assume rulemaking responsibilities. Director Soltani also indicated that draft regulations may be issued after the second quarter of 2022, meaning we may not see them until June.

For those wondering whether this impacts the enforcement deadline, here is a link for a recording of a webinar with Chairperson Jennifer Urban from Oct. 5, 2021 in which she discussed the California rulemaking process, authority given to the Agency for enforcement, and the topics on which the CPPA will focus for rulemaking. During that webinar, Chairperson Urban said that the Board is looking at the possibility of a formal extension of the CPRA’s July 1, 2023 enforcement deadline. A summary of the Oct. 5, 2021 statements Chairperson Urban made to the California Lawyers Association can be found here.

Despite the delays surrounding the CPRA regulations, businesses are well advised to work on CPRA compliance now. For those wondering where to begin, we published an overview that can be found here.

In addition to conducting gap assessments and data mapping, the CPPA encourages stakeholder participation. The path to the final regulations will involve preliminary hearings planned for March and April 2022, at which the Agency will receive input from subject matter experts as well as consumers, businesses and other stakeholders.

Meanwhile, the OAG filed a request with the state to move the current regulations under the California Consumer Privacy Act to a new section in the California Code of Regulations, where they will be renumbered for the CPRA.

Stay tuned for further updates on the CPRA rulemaking process from the authors and others in BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group.

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Three

Part I: What Are Third-Party Cookies and Why They Are Important

Part II: Privacy Laws and Third-Party Cookies

Part III: The Big Tech Phase-Out of the Third-Party Cookie and the Emerging Industry Landscape – Browsers and Mobile


The Big Tech Phase-Out

Welcome to the third installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into third-party cookies for a baseline understanding of the technology and the oversized impact of their phase-out on the adtech ecosystem. In our second post, we surveyed the current privacy legal landscape regulating the use of third-party cookies to collect, track and share personal information. In this post, we will discuss big tech’s – and in particular Google’s and Apple’s – role in ushering the phase-out of the third-party cookie and the potential post-cookie alternatives being developed by these two tech giants for the widely adopted Google Chrome browser and Apple iPhone operating system. Continue Reading