This past weekend, criminal ransomware cyberattacks drove the shutdown of one of America’s largest pipelines for refined gasoline, diesel fuel, and jet fuel as a precautionary means of containing the impact of the breach, highlighting the vulnerability of the nation’s energy infrastructure. Recent reports indicate that more than two dozen other company victims across a range of industries were targeted by these ransomware attacks, with worse damage blocked thanks to close and rapid coordination between federal authorities and private sector partners to identify and swiftly shut down servers being used in the attack. Earlier this month, a California-based regional hospital operator had to take healthcare IT systems offline following a cyberattack, significantly disrupting care, forcing medical personnel to use back-up paper records and raising concerns about vulnerabilities in the healthcare system as the nation continues to battle the Covid-19 pandemic.

In addition to the most recent incidents highlighted above, 2020 featured one of the most ambitious and troubling cyberattacks in history: hackers associated with a foreign intelligence service surreptitiously implanted malicious code into Texas-based technology firm SolarWinds’s Orion network management tool, an application used by tens of thousands of clients, including Microsoft, the U.S. government and FireEye, a prominent cybersecurity firm that helped discover and alert the world to the compromise. More recently, in April 2021, authorities discovered that attackers had, since at least June 2020, been exploiting security flaws in virtual private network (VPN) products offered by an IT software provider. Like the SolarWinds hack, the breach affected federal government agencies and numerous private companies.

(more…)

In a settlement announced by the Federal Trade Commission [July 24, 2019], Facebook agreed to a $5 billion penalty and extensive remedial requirements to resolve an investigation into violations of a 2012 consent decree related to its data privacy practices. On the same day, the Securities and Exchange Commission announced a related $100 million resolution of charges that Facebook made misleading public disclosures in connection with data privacy risks.

The FTC resolution includes not only the largest data privacy penalty in the agency’s history, but a remedial order that is broad and long-lived, requiring Facebook to restructure its privacy operations at the compliance, executive management, and board of directors levels. Though this high-profile action constitutes, by orders of magnitude, the FTC’s most aggressive privacy enforcement effort to date, it has drawn substantial criticism from some quarters for not going far enough. The Commission’s 3-2 vote in favor of the resolution, split along party lines, reflects its controversial nature.

(more…)

[On September 26, 2018], the Securities and Exchange Commission announced that it had settled charges against an Iowa-based broker-dealer and investment adviser stemming from an April 2016 data breach that compromised at least 5,600 customer accounts. The SEC’s cease-and-desist order charges that the firm had deficient cybersecurity and identity theft prevention programs, in violation of the SEC’s Safeguards Rule (Reg S-P) and Identity Theft Red Flags Rule (Reg S-ID), which require registered investment advisers and broker-dealers to adopt reasonably designed policies to protect customer information and detect, prevent, and mitigate identity theft. Although the SEC has previously enforced the Safeguards Rule (see our June 2016 memo), this is the SEC’s first enforcement action involving the Identify Theft Red Flags Rule. The SEC viewed positively post-breach remedial actions taken by the company, and the matter was settled for a $1 million penalty and retention of an independent compliance consultant.

(more…)