Right To Know - December 2024, Vol. 24

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Action:  

• California Privacy Protection Agency Advances New Data Broker and Privacy Regulations: On Nov. 8, the California Privacy Protection Agency (CPPA) Board voted to adopt new data broker registration regulations and advance a comprehensive rulemaking package related to insurance, cybersecurity, risk assessments, and automated decision-making technology (ADMT). The data broker rules aim to clarify registration and disclosure requirements, with an expected effective date of January 1, 2025, pending approval. Additionally, the CPPA will initiate a 45-day public comment period for broader privacy rules, which address consumer rights regarding ADMT, cybersecurity audits, and risk assessments. These measures reflect the agency’s efforts to adapt privacy regulations to evolving technology.

Regulatory:

• CISA Publishes Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization: On Nov. 21, CISA published “Enhancing Cyber Resilience: CISA Red Team Assessment of a US Critical Infrastructure Sector Organization,” based on a voluntary assessment by CISA requested by the organization. A red team assessment “simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities.” In this analysis, the red team, after failing to get access through a phishing campaign, discovered a web shell left from a previous Vulnerability Disclosure Program and used it for initial access and then used the access to escalate privilege. The report includes Lessons Learned and Mitigations including embedding security into product architecture throughout the entire software development lifecycle, eliminating default passwords, and mandating Multifactor Authentication (ideally phishing-resistant MFA).
• CISA Releases Tips for Safe Holiday Shopping: With the Holiday season upon us, CISA released tips to protect yourself, your family and businesses from on-line scams and identity theft. According to the FBI, holiday shopping scams caused over $73 million in losses in 2022.  CISA’s tips include videos showing how to secure devices, ways to spot phishing emails, and other general self-help steps.  
• NYDFS Issues Industry Letter Highlighting Strategies to Combat AI Cybersecurity Risks: The New York Department of Financial Services (“NYDFS”) published an Industry Letter highlighting AI cybersecurity risks to the banking, insurance, and financial services industry and providing guidance on steps organizations can take in response. NYDFS highlighted the increased use of AI by threat actors such as AI-enabled social engineering, as well as organizational risks that can be caused by over reliance on AI tools. NYDFS highlighted multiple measures that can be used to mitigate these risks, including risk assessments, vendor management practices, and system and process monitoring. Overall, the guidance provides best practices regarding cybersecurity strategies that can be used along with new technology implementation. 
• The US Coast Guard Issues a New Cybersecurity Directive Warning of Risks of Chinese Cranes in Ship to Shore Operations: Ship-to-shore (STS) cranes manufactured by the People’s Republic of China (PRC) account for nearly 80% of the STS cranes at US Ports. The cranes may be controlled, serviced and programmed from remote locations leaving STS cranes manufactured by PRC companies vulnerable to exploitation. The US Coast Guard issued Maritime Security (MARSEC) Directive 105-5, which outlines cyber risk management requirements for ship-to-shore cranes manufactured by PRC companies. These requirements are in addition to the MARSEC Directive 105-4 issued earlier this year. The Directive is considered Sensitive Security Information (SSI) so is not publicly available. To obtain a copy of MARSEC Directive 105-4 operators and industry stakeholders should contact their local Captain of the Port or District Commander. For more information you can also contact Clark Hill.
• CISA Issues CWE Top 25 Most Dangerous Software Weaknesses List: On Nov. 20, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with MITRE’s Homeland Security Systems Engineering and Development Institute, released the 2024 CWE Top 25 Most Dangerous Software Weaknesses. The annual list identifies the most frequently exploited critical software weaknesses based on Common Vulnerabilities and Exposure (CVE) records. This year’s top weaknesses include cross-site scripting, out-of-bounds write, SQL injection, cross-site request forgery, and path traversal. The List is part of CISA’s Secure by Design and Secure by Demand initiatives. CISA includes recommendations for Developers and Product Teams, Security Teams, and Procurement and Risk Managers.
• EU proposed Cybersecurity Resilience Act published in the Official Journal: The EU’s long-awaited Cybersecurity Resilience Act (CRA) has been published in draft form in the EU’s official journal. The CRA intends to regulate cybersecurity resilience for products and software which are sold to or used by consumers and businesses. Not only are manufacturers going to have to adhere to certain standards at time of production, but also throughout the product life cycle by way of appropriate and regular updates to ensure the highest levels of cybersecurity. As with many EU regulations, part of the aim is to harmonize a framework for the applicable standards throughout the EU. It will complement certain aspects of the NIS2 Directive. It will apply to manufacturers, importers, distributors and certain retailers. It provides for fines of up to 2.5% of annual global turnover or €15m, whichever is higher. It will be implemented over a phased basis which the next major milestone being H2 2026.
• SEC Fines Companies for Misleading Disclosures About Security Incident: The SEC recently fined four companies for misleading public disclosures following Solarwinds cybersecurity incidents. The Solarwinds cybersecurity incidents all used a vulnerability in the popular Solarwinds software to gain unauthorized access to company’s IT systems. The SEC acknowledged that the incidents were not necessarily the fault of the company’s impacted but found that their public disclosures related to those incidents improperly attempted to minimize the incidents. The SEC stated, “[i]n two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The fines continue to indicate that the SEC takes post-incident disclosures very seriously and that those affected by cybersecurity incidents should carefully consider such disclosures.
• Senator Wyden Calls Out Telecom Companies Following Massive Industry Wide Breach: S. Senator Ron Wyden took the telecom industry and its federal regulator, the Federal Communications Commission (“FCC”), to task for failing to stop Chinese government affiliated hackers from breaching the networks of all of the major U.S. telecom companies. He asked the FCC and U.S. Department of Justice to investigate these failures and, for the FCC specifically, to establish telecom industry specific cybersecurity standards and requirements. This massive breach allegedly allowed the Chinese government access to communication data and, in some cases, monitor those communications.

Litigation & Enforcement:  

• Healthcare Worker Sentenced For Illegally Accessing And Disclosing Justice Ginsburg’s Medical Records: Trent Russell worked for an organ donation coordination company, which provided him the ability to access health records. In 2019, Mr. Russell accessed the health records of then-Justice Ruth Bader Ginsburg, and posted a screenshot of them on-line.  According to the Department of Justice, he also destroyed and altered evidence and lied to investigators. Judge Michael S. Nachmanoff sentenced Russell to 24 months in prison. 
• Chinese Threat Actors Breach Multiple Telecom Companies to Listen to Conversations and Access Call Records: The U.S. government is investigating a large-scale cyber espionage campaign by PRC-affiliated actors targeting telecommunications infrastructure. These actors have compromised networks at several telecommunications companies, stealing customer call records, intercepting private communications of individuals involved in government or political activities, and copying information tied to U.S. law enforcement requests. The investigation is ongoing, and the FBI and CISA are providing technical support, sharing information, and helping strengthen cyber defenses in the commercial communications sector. Organizations that may be affected are urged to contact the FBI or CISA.
• SEC Declines to Issue Fine Against ICBC Over Ransomware Attack: The Securities and Exchange Commission (“SEC”) has reached a settlement with the Industrial and Commercial Bank of China Financial Services LLC (“ICBC”) for deficient books and records but decided not to impose civil penalties after ICBC suffered a ransomware attack in November 2023. The SEC cited ICBC’s prompt response, extensive remedial measures, and the company’s meaningful cooperation in the SEC investigation as reasons for not issuing a fine. While the SEC found ICBC willfully violated multiple sections of the Security Exchange Act of 1934, the settlement only included an agreed to cease-and-desist order and a censure.
• City of Columbus Drops Lawsuit Against Data Leak Whistleblower: The City of Columbus reached a settlement to drop its lawsuit against cybersecurity expert Connor Goodwolf, who had publicly disclosed a major data breach involving the city’s IT systems. Goodwolf’s disclosures reportedly exposed vulnerabilities in the city’s data security, which included sensitive personal and municipal data. In response, Columbus initially filed suit, citing unauthorized access and dissemination of confidential information. As part of the settlement, Goodwolf agreed to a permanent injunction, barring him from further accessing or sharing any data linked to the breach.
• FTC Cracks Down on Collection and Selling of Sensitive Location Data: The FTC has proposed a settlement with Mobilewalla, a data broker, for allegedly selling sensitive location data without consumer consent. Mobilewalla allegedly collected precise data on individuals, including visits to private homes, health clinics, and religious sites, and sold it to third parties like advertisers and data brokers. The FTC claims Mobilewalla’s actions exposed consumers to privacy risks, discrimination, and harm. Under the settlement, Mobilewalla will be prohibited from selling sensitive location data. It must also stop collecting or retaining data from online advertising auctions for any purpose other than the auction itself. The FTC is further requiring Mobilewalla to establish stronger privacy practices, and, if Mobilewalla violates the settlement terms, it could face penalties of up to $51,744 per violation.
• Meta Fined by South Korea’s PIPC: Meta has been fined by South Korea’s privacy regulator Personal Information Protection Commission (PIPC) who imposed a fine of over $15 million on Meta for failing to adequately protect user data and failing to comply with the country’s privacy laws (PIPA). According to the PIPC, Meta improperly collected and used sensitive data without proper consent, violating users’ privacy rights. The PIPA stipulates that the processing of sensitive data is prohibited, in principle, including the data revealing ideology, political opinions, religious beliefs, and the data concerning a person’s sex life. South Korea’s regulator emphasized that companies must obtain clear consent from users before collecting and using their data, especially sensitive information like specific religious affiliations, sexual orientation, gender identity, etc.
• Penn State Agrees to Pay $1.25 Million to Resolve False Claims Act Allegations of Violations of Federal Contract Cybersecurity Requirements: On Oct. 22, the U.S. Attorney for the Eastern District of Pennsylvania announced that The Pennsylvania State University (Penn State) agreed to pay $1,250,000 to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in 15 federal contracts or subcontracts. The settlement resolves a lawsuit filed under the whistleblower provisions of the False Claims Act, which alleged that Penn State failed to implement cybersecurity controls required by contracts and subcontracts with the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA) and did not adequately develop and implement plans of action to correct deficiencies. The Department of Justice’s intervention in the case was part of its Civil Cyber-Fraud Initiative. The settlement demonstrates the importance of understanding and complying with cybersecurity requirements for federal contracts.
• LinkedIn Fined €310m By Irish DPC: LinkedIn has been fined €310m by the Irish data protection commissioner (DPC) in its capacity as lead supervisory authority. The fine arises from a complaint that originated in France. The decision also included a reprimand and a direction for LinkedIn to bring its practices into compliance. A core issue was the failure to validly rely on a proper legal basis for processing user data. Specifically, consent, legitimate interest and contractual necessity were not properly used as legal bases to enable processing of third-party data of LinkedIn members for the purpose of behavioral analysis and targeted advertising. This month the DPC has explained in more detail the analysis deployed in respect of the legitimate interest limb of the investigation. 
• Justice Department Shuts Down PopeyeTools Cybercrime Marketplace, Charges Three Administrators in $1.7 Million Fraud Scheme: On Nov. 20, the Justice Department announced the seizure of PopeyeTools, a cybercrime marketplace that sold stolen credit card information and tools for cybercrime and financial fraud. Three PopeyeTool administrators from Pakistan and Afghanistan face charges of conspiracy to commit access device fraud. The site, active since 2016, offered sensitive financial data and personally identifiable information (PII) from at least 227,000 individuals, generating $1.7 million in revenue. U.S. authorities seized multiple domains and approximately $283,000 in cryptocurrency linked to the operation. If convicted, the accused face up to 10 years in prison. The takedown involved cooperation with international law enforcement, including agencies in the UK and Malaysia.
• Amazon Seeking Summary Judgment in of Case Over Alexa Recordings: Amazon has, for years, been embroiled in litigation over its Alexa personal assistant device. The gist of such litigation has been that the Alexa device is impermissibly recording conversations in consumers’ homes. But, Amazon claims in its recent filing that the plaintiffs had failed, after years of litigation, to show that Amazon’s device was recording at times other than when the consumer had called to the device. Amazon asserts that the evidence shows that its recordings were only of the questions asked of Alexa and not to other private conversations.
• Children’s Hospital of Colorado fined over $500K by HHS OCR: The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $548,265 civil monetary penalty on Children’s Hospital Colorado for violations of the HIPAA Privacy and Security Rules. The penalty stems from breaches reported in 2017 and 2020, involving phishing attacks that compromised the protected health information (PHI) of 3,370 individuals in the first breach and 10,840 individuals in the second. OCR’s investigation found that the hospital had failed to implement key safeguards, such as multi-factor authentication, workforce training on HIPAA rules, and a compliant risk analysis to address potential vulnerabilities to electronic PHI (ePHI).This is OCR’s seventh penalty of the year, highlighting the agency’s enforcement of HIPAA regulations to secure sensitive health information. OCR emphasized the importance of mitigating cyber threats by implementing measures such as multi-factor authentication, encrypting ePHI, conducting regular risk analyses, and reinforcing workforce training to protect privacy and security.

International Updates:  

• European Data Protection Board Adopts European Commission Report on its First Review of the EU-U.S. Data Privacy Framework: The European Commission has concluded that U.S. authorities’ Data Privacy Framework has the necessary structures and procedures in place to ensure that it functions effectively with the EU data privacy laws. The decision did highlight a concern about US law enforcement purchasing personal data from commercial broker as an end-run around FISA or executive order 14086. Further review will take place next year.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.