Right To Know - March 2025, Vol. 27

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action: 

• Florida Committee Recommends Official Voluntary Incident Response Guidelines for Florida Bar: During its meeting at the Bar’s Winter Meeting in January, the Florida Bar Cybersecurity & Privacy Law Committee approved a voluntary Incident Response Plan (IRP) for cyber incidents and recommended that the Florida Bar adopt it as an official, voluntary IRP for Florida lawyers. Adoption will require approval by the Board of Governors. Consistent with the increasing recognition of the importance of data governance for cybersecurity and incident response, the IRP encourages data mapping during the planning process to understand the lifecycle and flow of data. The IRP covers the standard steps of preparation, detection and identification, containment, eradication, recovery, and post-incident review. While not yet officially adopted, it is a good planning resource tailored to attorneys and law firms.

Regulatory: 

• CISA and Partners Issue Guidance to Secure Edge Devices and Appliances: On February 4, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with international and other U.S. organizations, issued guidance on protecting network edge devices and appliances (e.g., firewalls, routers, virtual private networks (VPN) gateways, etc,). Protection of edge devices is critical because they act as boundaries between organizations’ internal enterprise networks and the Internet. The guidance, in cybersecurity information sheets, includes “Security Considerations for Edge Devices,” “Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” “Mitigation Strategies for Edge Devices: Executive Guidance’” and “Mitigation Strategies for Edge Devices: Practitioner Guidance.” The lead contributors include the Canadian Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
• HHS OCR Imposes $1.5 Million Penalty on Warby Parker for HIPAA Security Violations Following Cyberattack: The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has imposed a $1,500,000 civil money penalty on eyewear manufacturer Warby Parker, Inc. for violations of the HIPAA Security Rule. This penalty follows a cyberattack that compromised the protected health information of nearly 200,000 individuals. The breach involved unauthorized access to customer accounts via credential stuffing. HHS OCR’s investigation concluded that Warby Parker failed to conduct a thorough risk analysis, implement adequate security measures, and maintain proper information system activity reviews, as required by HIPAA.
• New Report Addresses Critical Infrastructure Threats and the Role of State and Local Governments in Addressing Them: On February 27, the Multi-State Information Sharing and Analysis Center ® (MS-ISAC ®) released “Strengthening Critical Infrastructure: State, Local, Tribal & Territorial Progress & Priorities, Volume 1,” that addresses the critical threats to critical infrastructure and the current progress among state and local governments in defending against foreign threats. The report notes that a substantial portion of the nation’s critical infrastructure is managed by U.S. State, Local, Tribal, and Territorial entities and explores the catastrophic consequences of disruptions in systems such as healthcare, education, water, and power. The report further discusses the success to date of “shared services, State and Regional Security Operations Centers (SOCs), and the national support provided by the MS-ISAC, [which provide] round-the-clock monitoring and incident response, centralized threat intelligence, and peer-to-peer collaboration.” The report also discusses key priorities for the future, “including bolstering critical infrastructure resilience, building trust in public institutions through communication, strengthening small and rural communities, addressing insider threats, and investing in workforce development.”
• CISA Defends Stance Against Russian Threat Actors in New Trump Administration: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reaffirmed its commitment to defending against all cyber threats to US critical infrastructure, including those from Russia, under the Trump administration. However, reports indicate an internal memo introduced new agency priorities, mentioning China but excluding Russia, and an anonymous source claimed CISA analysts were verbally instructed not to follow or report on Russian threats. A Department of Homeland Security (DHS) spokesperson denied that the directive came from the Trump administration and criticized The Guardian’s reporting. CISA reiterated its unchanged stance on cybersecurity threats, dismissing contrary claims as false and harmful to national security.

Litigation & Enforcement: 

• Georgia Federal Court Grants Class Certification In WebMD VPPA Case: On February 20, the United States District Court for the Northern District of Georgia granted class certification a lawsuit alleging that WebMD violated the Video Privacy Protection Act (VPPA). The plaintiff alleges that WebMD violated the VPPA by sharing video-viewing activity of WebMD users with Facebook via the “Facebook Pixel.” The court found that the plaintiff met all of the requirements for certification of a class of “All persons in the United States who, from February 17, 2020 through the date on which class notice is disseminated, had the same email address associated with a subscription to webmd.com and a Facebook account, and for whom there is associated Event Data in the possession of Meta Platforms, Inc. showing their video-viewing behavior on webmd.com,” as well as a related subclass.
• FBI Prevents $285 Million in Cryptocurrency Investment Fraud via Operation Level Up: The FBI is touting the success of Operation Level Up in notifying more than 4,000 potential victims and saving them an estimated $285 million. This operation specifically targets cryptocurrency linked investment fraud scams. Specific to these types of schemes, the FBI says that they “are elaborate schemes that often involve unsolicited online contact, a long period of trust building, fake investment opportunities, and a false sense of urgency to send money, perpetrated by individuals typically located overseas who target victims in the United States.” The FBI recommends being wary of the following in order to protect yourself from these scams:

1) Do not release any financial or personal identifying information and do not send any money to someone you met online.

2) Do not invest solely based on the advice of someone you met online.

3) Do not download or use any unfamiliar applications or click on any links sent to you by someone you met online.

4) Do not pay any additional fees or taxes to withdraw money you have invested in a potential scheme.

5) Do not pay for services that claim to be able to recover lost funds, as these are often scams as well.

• Health Net Federal Services, LLC Settles with DOJ for Cybersecurity Noncompliance: TRICARE health benefits program administrator Health Net Federal Services Inc. (“HNFS”) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to the Department of Justice (“DOJ”) to settle claims that HNFS falsely certified compliance with cybersecurity requirements under a contract with the Department of Defense (“DoD”). The settlement resolves claims that HNFS failed to meet certain cybersecurity controls between 2015 and 2018, such as conducting timely vulnerability scans and taking action to remedy known security flaws on its network and systems. The DOJ further alleged that HNFS then falsely certified in its required annual reports that it met these requirements. Officials emphasized the importance of protecting sensitive military health data and enforcing federal cybersecurity obligations among government contractors, and the Defense Criminal Investigative Service (“DCIS”) stated that it will continue to investigate contractors that fail to comply with federal cybersecurity requirements.
• U.S. Government Seizes $31 Million of Cryptocurrency from Uranium Finance: In late February 2025, the United States Attorney’s Office for the Southern District of New York announced, via X (formerly Twitter), that the it and Homeland Security Investigations San Diego were able to seize $31 million in assets stolen from Uranium Finance through two data security incidents in April 2021. The incidents occurred when threat actors exploited vulnerabilities in Uranium Finance’s smart contract code. The threat actors stole approximately $53 million in cryptocurrency. Victims are requested to contact UraniumVictims@hsi.dhs.gov.

International Updates:

• UK Government Considers Ban on Ransomware Payments for Public Sector: The UK government is exploring legislation to, among other things, prohibit public-sector organizations from paying ransoms following cyberattacks. This proposal emerges amid rising ransomware incidents that disrupt critical public services and compromise sensitive data. Advocates believe that banning ransom payments will discourage cybercriminals by eliminating the financial incentive. However, critics warn that such a measure could leave public entities with few immediate remedies in the aftermath of an attack, potentially resulting in longer service interruptions and higher restoration costs. The debate reflects broader tensions between deterring criminal activities and ensuring the resilience of essential infrastructure.
• European Commissioner Calls Out Slow Implementation of NIS2 Rules: European Commissioner Glenn Micallef has noted that only 7 of the EU’s 27 states have implemented the NIS2 Directive on protecting national infrastructure. Highlighting recent attacks on undersea data connection cables (within scope of that Directive to protect) he called for an acceleration of takeup of the new Directive’s rules. The EU Commission is reviewing replies to the first formal notice to countries to enforce. It is anticipated that many countries will take several more months to fully implement the Directive’s requirements.
• South Korea Pauses Use of DeepSeek Over Privacy Concerns: On February 15, South Korea’s Personal Information Protection Commission halted all downloads of the Chinese artificial intelligence chatbot DeepSeek over concerns with compliance with the country’s Personal Information Protection Act. The pause on downloads is expected to last until the Chinese company brings itself into compliance with all of the requirements of South Korean law. South Korea also stated that it would be reviewing its processes and improving its guidance to prevent similar lapses in the future.
• ECJ Rules on Upper Limit of Administrative Fines: In its judgement on February 13, the European Court of Justice (ECJ) ruled on request for a preliminary ruling from the Regional Court of Western Denmark on the determination of the upper limit of administrative fines imposed under Articles 84(4) to (6) of GDPR on a controller. The ECJ held that the definition of an “undertaking” corresponds to that of Articles 101 and 102 TFEU and thus refers to an economic entity, even if it consists of several legal persons. Accordingly, where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding financial year of the undertaking concerned. The ECJ emphasized that the determination of the maximum amount of the fine should be distinguished from the actual calculation of the fine, which requires the supervisory authority to ensure it is effective, proportionate and dissuasive, and to have due regard to a number of factors.
• DPC Submits Draft Decision on Inquiry into TikTok: The Irish Data Protection Commission (DPC) submitted a draft decision, under Article 60 of the GDPR, in an inquiry into social media platform TikTok to other national supervisory authorities on February 21. The inquiry, which started in 2021, focuses on transfers by TikTok of personal data of users of its platform to China, and whether such transfers comply with GDPR. The draft decision also considers whether TikTok has complied with GDPR transparency obligations on personal-data processing. The national supervisory authorities have one month to send any “reasoned and relevant” objections or comments to the DPC.
• Irish Data Watchdog Loses Claim Against European Data Protection Board: The Irish Data Protection Commission (“DPC”) has lost a challenge in the European Court of Justice (“ECJ”) against the European Data Protection Board (“EDPB”), having claimed that the EDPB cannot overrule a decision by a national supervisory authority. The ECJ’s finding was that the EDPB can overrule and issue binding instructions to conduct further investigations and make new decisions if there are gaps or insufficient analysis in the original decision.
• The EU Begins Landmark AI Law Enforcement: The European Union has officially begun enforcing its groundbreaking AI Act, imposing strict regulations and potential heavy fines for violations. While the law formally took effect in August 2024, February 2nd marked the deadline for compliance with bans on high-risk AI applications, including social scoring, real-time facial recognition, and manipulative AI tools. Companies that fail to adhere to these restrictions now face penalties of up to 35 million euros or 7% of their global revenue, whichever is higher—exceeding fines under the EU’s GDPR privacy law. The Act also mandates sufficient AI literacy among staff, ensuring responsible AI deployment across industries.

Industry Updates: 

• Chase Modifies Zelle Service Agreement to Protect Against Social Media Fraud: Chase is updating its Service Agreement for Zelle payments effective March 23,  to attempt to prevent users from becoming victims of fraud. Under the amended terms, Chase may request additional information regarding the proposed payment including the purpose of the payment, method of contact with the recipient, and other details “to assess whether [the] payment has elevated fraud or scam risk, or is an illegal, ineligible or improper payment.” Chase further retains the right to “decline payments, restrict your use of Zelle(R) through Chase, or take other actions” if the information provided is not truthful or the user engages in “risky use of the Zelle Service.”
• North Korea Linked Hacking Group Steals $1.5 Billion From Cryptocurrency Firm: On February 26, the FBI issued a press release advising that The Lazarus Group, a North Korea successfully stole $1.5 billion dollars’ worth of cryptocurrency from cryptocurrency exchange Bybit. The group did so by successfully engineering a transfer of virtual currency out of a “cold wallet” operated by Bybit. Cold wallets are devices or that are used for storing cryptocurrency keys offline and are generally considered safe from theft. North Korea often uses the theft of cryptocurrency to fund its government, including its nuclear weapons development program. The FBI has referred to this activity as “TraderTraitor,” and advises private sector entities to block transactions with or derived from addresses used by TraderTraitor actors. The press release also provides a list of Ethereum addresses operated by or associated with TraderTraitor actors.
• Lee Enterprises Confirms Ransomware Attack Affecting 75+ Publications: Lee Enterprises reported in a February 3, SEC filing that it has suffered a ransomware attack. The company, one of the largest newspaper publishers in the U.S., indicated that the attack impacted the company’s operations, including billing, distribution of products, collections, and vendor payments. The Qilin ransomware group has taken credit for the attack and claimed that it has 350Gb of data from the Lee Enterprises systems. Qilin is a ransomware as a service group that has been involved in other major incidents such as the attack on London hospitals last year.
• DOJ Arrests Suspects Affiliated with the Phobos Ransomware: The Department of Justice announced that two individuals affiliated with the Phobos ransomware group have been arrested in a coordinated international law enforcement effort. Structured as a ransomware as a service (RaaS) model, Phobos ransomware victimized thousands of entities around the world, including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure. Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns to drop hidden payloads or using internet protocol (IP) scanning tools to search for vulnerable Remote Desktop Protocol ports. The arrests resulted from cooperation between U.S. agencies, foreign counterparts, and private cybersecurity partners. As part of the operation, authorities disrupted over 100 servers linked to the criminal network.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.