The Scourge of Ransomware

Our 2021 Data Security Incident Response Report (DSIR) described ransomware as a scourge. There are stories every day about new threat actor groups and their victims. There are task forces, law enforcement initiatives, discussions by legislators about laws to help address the problem, and real-world impact from operational disruption (such as panic-buying of gas).

Most organizations are aware of the risk of ransomware and the need to prepare for an event. But organizations that have not experienced a ransomware event are uncertain about what actually occurs, which hinders preparation. Building a ransomware playbook and conducting a tabletop exercise facilitated by a person experienced in responding to ransomware events are good preparation measures. To help with both, you can use the ransomware matter data from the DSIR and the list of considerations an organization facing a ransomware attack may have to address all at once on the first day of a ransomware matter. Continue Reading

Seventh Annual Data Security Incident Response Report Released – Disruption and Transformation

Welcome to our seventh Data Security Incident Response Report (DSIR). It has been quite a year from many perspectives. Thank you to everyone we have continued to partner and work with to create this report.

We are excited to soon launch a new digital platform version, and we intend to update this version throughout the year with real-time data. The DSIR will continue to share data and insights about security incidents, regulatory enforcement actions, class actions, transactions, digital innovation, compliance projects, data governance, and advisory matters to help organizations develop solutions to address the issues that data and technology create. Continue Reading

Welcome to the Digital Transformation and Data Economy Newsletter – April 2021 Issue

Across the economy, businesses are using digital technology to pivot into innovative service lines, accelerate growth and transform their businesses altogether. These businesses’ digital strategies and data assets play important roles in their success. Since Europe’s General Data Protection Regulation (GDPR) introduced special protections and requirements around sensitive personal data in 2018, the United States has seen a national movement to pass comprehensive privacy laws, some of which mirror the GDPR in this respect. In this issue, we are highlighting Catrina Wang and how her privacy practice intersects with digital transformation and the data economy.

Read More.

The New (if Decidedly Not ‘Final’) Frontier of Artificial Intelligence Regulation

The week of April 19 was an eventful one for practitioners following the evolution of potential artificial intelligence (AI) enforcement both in the United States and abroad, answering some questions regarding which regulators were going to take a more active and prospective role in regulating and advising on AI use and what those roles might look like. In addition, and perhaps more importantly for advisers and their clients, the announcements from the U.S. Federal Trade Commission (FTC) and the European Commission (EC) provided insight into what organizations using AI might do prospectively to mitigate enforcement concerns and prepare for future responses.

News from the FTC

The week started with an April 19, 2021, post from the FTC titled “Aiming for truth, fairness, and equity in your company’s use of AI.” Note first, however, that the FTC had provided some initial guidance back on April 8, 2020, titled “Using Artificial Intelligence and Algorithms.” The FTC’s 2020 guidance noted that the FTC had “brought many cases alleging violations of the laws [the FTC] enforce[s] involving AI and automated decision-making, and [had] investigated numerous companies in this space.” Continue Reading

Responding to Supply-Chain Risk—It’s Not Just About Vendor Management

Organizations around the globe began 2021 grappling with two significant supply-chain attacks. First, the SVR, Russia’s foreign intelligence service, planted malicious code in Orion, SolarWinds’ flagship network management suite. When 18,000 Orion customers updated their software, they also unwittingly installed the SVR’s malicious code, giving the Russian intelligence agency direct access to the customers’ networks.

The second attack came in March, when news broke that a threat actor labeled HAFNIUM was exploiting four previously unknown vulnerabilities in Microsoft Exchange, the ubiquitous email server platform. Information security teams scrambled to install Microsoft’s emergency fix and evaluate the damage. Within days, other threat actors began targeting unpatched systems for their own goals, including ransomware attacks.

Read more

Highly Anticipated SCOTUS Ruling Upends TCPA Landscape

In a landmark decision issued April 1, 2021, the Supreme Court settled a hotly-contested debate over the definition of “automatic telephone dialing system” (or “autodialer”) under the 1991 Telephone Consumer Privacy Act (“TCPA”). The Court’s decision is likely to upend the TCPA compliance and litigation landscape, as the law’s private right of action coupled with steep penalties for non-compliance have spawned countless class action lawsuits in recent years. SCOTUS resolved a circuit split over the definition of autodialer, which has been at the heart of many of these disputes, adopting the more narrow interpretation to avoid including any device that can dial numbers from a stored list. Continue Reading

Podcast: AD-ttorneys@law: Marketing a Subscription-Based Service? Beware

We used to think of subscriptions as mostly for newspapers and magazines, but today you can subscribe to get cosmetics, cars, clothes, mental health counseling – even a curated selection of cat toys and treats that will show up on your doorstep every month. Is your brand offering a subscription-service? Linda Goldstein explains how to mitigate your legal risk.

Questions and Comments:

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Privacy-Forward California AG Xavier Becerra Confirmed as Next HHS Secretary

On March 19, 2021, Xavier Becerra was confirmed as the secretary of the U.S. Department of Health and Human Services (HHS). HHS is the federal regulatory body that oversees the Office for Civil Rights (OCR), which is the primary federal enforcer of the Health Insurance Portability and Accountability Act (HIPAA).

The secretary oversees 11 operating divisions and 15 offices (including OCR), and as a result, he is not solely focused on HIPAA and privacy issues. However, if Becerra maintains his California state of mind, we can reasonably anticipate that privacy reform will be a high-ranking item on his federal agenda. Continue Reading

Private Right of Action May Again Poison Washington Privacy Act

On March 26, with less than a month left in the Washington Legislature’s 2021 session, the House Civil Rights and Judiciary Committee (CRJC) passed the Washington privacy act (2SSB 5062), with amendments, on a straight party-line vote of 11-6 (with all six Republican committee members voting no). As the act gets closer to passing, we’ll revisit the bill to highlight how it compares to its predecessors in California and Virginia. For now, this post focuses on differences between the Senate and House versions and how those might affect its passage.

The amended bill, which now includes a private right of action, moves next to the House Appropriations Committee before moving to the full House for consideration. If passed by the House (as currently amended or with other amendments), the amended bill must then be reconciled with the Senate’s version. Which puts us in about the same place we were in last year before the Washington privacy act failed – but with a few notable differences discussed below. Continue Reading