In this article, we discuss today’s most prevalent types of ransomware attacks, considerations for whether to make the ransom payment, the Financial Crimes Enforcement Network (FinCEN) and Treasury’s Office of Foreign Asset Control’s (OFAC) ransomware guidance, and the U.S. government’s efforts in connection with these attacks.
Jena M. Valdetero
Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on privacy and cyber risks associated with mergers and acquisitions, venture capital, and securities. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.
DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike
On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most…
Congress Passes 72-Hour Federal Breach Reporting Law for Critical Infrastructure
As part of a larger spending bill signed by President Biden on March 15, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRA) to increase funding for the federal Cybersecurity and Critical Infrastructure Agency (CISA). CIRA requires companies considered to be in a “critical infrastructure” sector to notify CISA within 72 hours…
SEC Continues Rolling Out Cybersecurity Rules, this Time Targeting Public Companies
Continuing its focus on cybersecurity, on March 9, 2022, in a party-line vote, the SEC proposed rules and amendments governing cybersecurity reporting requirements for public companies subject to the Securities Exchange Act of 1934.
CCPA Litigation Up 44.1%
The California Consumer Privacy Act (CCPA) provides plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged…
Preparing for the Possibility of Russian Ransomware Attacks
On Feb. 25, 2022, one of the top 10 ransomware threat actor groups, Conti, issued a statement announcing its “full support” of the Russian government and threatening “to use all our possible resources to strike back at critical infrastructures of an enemy” who “organize[s] a cyberattack or any war activities” against Russia. Conti followed up…
Finally! UK Issues Solution for UK Personal Data Transfers
The long-awaited UK data transfer mechanism has been published by the Information Commissioner’s Office (ICO), resolving the question of how international transfers of personal data from the UK will be handled post-Brexit. As a refresher, the European Commission published four new versions of the EU standard contractual clauses (SCCs) in June 2021. However, these new…
SEC Issues Proposed Cyber Rule, Including 48-Hour Breach Reporting Requirement
On Feb. 9, 2022, the SEC released its long-awaited proposed cybersecurity rule, and there’s a lot to unpack. As GT reported previously, the SEC increased enforcement of cybersecurity compliance in 2021. As recently as Jan. 24, 2022, Chair Gary Gensler made cybersecurity the focus of his speech at Northwestern Law School’s Securities Regulation
Does the attorney-client privilege protect TIAs created pursuant to the SCCs from disclosure?
It depends on the purpose for which a TIA is created. It is unlikely that the attorney-client privilege would apply to a TIA that is created, and used, to satisfy the requirements of the Standard Contractual Clauses (SCCs).
The attorney-client privilege in the United States refers to a judicially recognized ability for a client to…
As the California Attorney General focuses on loyalty programs, what do companies need to remember?
The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the…