Right To Know - November 2024, Vol. 23

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Action:  

• NYDFS Encourages Companies to Address AI Security Threats: On Oct. 16, the New York Department of Financial Services (NYDFS) issued guidance urging companies to strengthen AI-related security measures, especially around multifactor authentication (MFA), to counter vulnerabilities from deepfakes and AI-driven social engineering attacks. Directed at NYDFS-regulated entities, the guidance highlights risks such as AI-enabled cyberattacks, deepfake-based deception, and exposure of sensitive data through MFA tools. Recommended controls include robust access measures, enhanced third-party due diligence, AI-specific training, and tracking AI-enabled systems. NYDFS also notes AI’s potential benefits for cybersecurity. The guidance also emphasizes ongoing risk assessments and third-party oversight to mitigate evolving AI-driven threats, with mandatory MFA for nonpublic information set to take effect in 2025.
• California Governor Signs Three CCPA Updates: During final days of the California legislative session, Governor Gavin Newsom signed three amendments to CCPA. Among other things, those amendments added “neural data” to the definition of “sensitive personal information” and which made clear that “personal data” as defined under the act can exist in various formats, including physical, digital, and abstract digital. The Governor also vetoed changes that would have added further restrictions on the collection of data from those under the age of 18 and that would have required online platforms to incorporate privacy opt-out mechanisms.
• Georgia Secretary of State Confirms Attempted Cyberattack on Election Infrastructure: On Oct. 23, Gabriel Sterling, the Chief Operating Officer for the Georgia Secretary of State’s Office, acknowledged (via X) a CNN report that a threat actor had attempted to take down the state’s website to request absentee ballots. The October DDOS attack was timed to coincide with the state’s timeframe to request absentee ballots. Georgia, along with its cybersecurity partner Cloudflare, were able to keep the website online and there was no disruption for those requesting absentee ballots. Sterling attributed the attack to “a foreign power or a foreign entity.”
• Missouri AG Announces Investigation into Google: On Oct. 24, Missouri Attorney General Andrew Bailey announced an investigation into Google. The Attorney General stated that the investigation is based on Google “censoring conservative speech during the most consequential election in our nation’s history.”  The announcement was made on X, formerly known as Twitter.  In interviews the Attorney General asserted that Google is manipulating search results.

Regulatory:  

• HHS OCR Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records: On Oct. 17, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a $70,000 penalty on Gums Dental Care, a Maryland solo dental practice, for failing to provide a patient timely access to medical records as required by HIPAA’s right of access provisions. Despite multiple requests and an OCR warning, Gums Dental delayed fulfilling the request for years. This case marks OCR’s 50th right of access enforcement action, underscoring the obligation of healthcare providers to promptly honor patients’ requests for health information access as an essential HIPAA requirement.
• HHS OCR Settles a Ransomware Investigation for $500,000: On Oct. 31, HHS OCR announced a settlement with Plastic Surgery Associates of South Dakota for violations of the HIPAA Security Rule. The ransomware incident occurred in July 2017 and affected 10,229 individuals. The attackers gained access to the remote desktop protocol using credentials obtained through a brute force attack. OCR found violations of the Security Rule, including failure to conduct a risk analysis, failure to implement measures sufficient to reduce risks and vulnerabilities to ePHI, failure to implement procedures to regularly review records of information system activity, and failure to implement policies and procedures to address security incident. OCR settled for $500,000, and Plastic Surgery Associates of South Dakota agreed to implement a corrective action plan.
• CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes: On Oct. 24, CISA issued “Safe Software Deployment: How Software Manufactures Can Ensure Reliability for Customers,” part of the growing body of guidance in CISA’s Secure by Design initiative. The initiative, following the May 2021 Executive Order on Improving the Nation’s Cybersecurity, urges manufacturers to “prioritize the security of customers as a core business requirement.” This 12-page guide, developed by CISA, the FBI, and the Australian Cyber Security Centre (ACSC), provides software manufacturers with guidance “for implementing a safe software deployment process with robust testing and measurement components.” It recommends that software deployment be “based on an established secure software framework such as NIST Secure Software Development Framework (SSDF).” It includes guidance on handling emergencies during or after software deployments, including recovery and notification to customers. The guide is intended for software or service manufacturers but may be adapted for internal IT teams. The objectives include: 1) quality processes, 2) cost and impact management, 3) controlled and measured deployments, 4) comprehensive testing, 5) continuous improvement, 6) optimize for agility, and 7) a secure development ecosystem.
• HHS OCR Updates the Change Healthcare Cybersecurity Incident FAQ Webpage: On Oct. 22, Change Healthcare reported to the HHS Office for Civil Rights (OCR) that it sent approximately 100 million notifications following a February cyberattack, marking the largest healthcare data breach in U.S. history. Hackers from the ALPHV group, also known as BlackCat, accessed sensitive data, potentially including health IDs, diagnoses, treatment details, and Social Security numbers. The breach caused nationwide claims processing disruptions, with an estimated financial impact of $705 million on UnitedHealth, which issued loans to affected providers. OCR updated its FAQs in response, as UnitedHealth continues to notify impacted individuals.
• NIST Issues News and Updates on the Cybersecurity Framework 2.0 for Cybersecurity Awareness Month: On Oct. 21, NIST released “NIST CSF 2.0 – News & Updates” to provide information on developments with the Cybersecurity Framework 2.0 for Cybersecurity Awareness Month. The one-page PDF documents includes links to a variety of information sources including Quick Start Guides, More Translations, New Videos, a New Transition Spreadsheet (from CSF 1.1 to 2.0), Update FAQs, and Events & Announcements. The Quick Start Guides include ones for Enterprise Risk Management and Small Businesses. The “Stay Connected With Us!” section has links for following NIST on X, an email contact address, NIST’s CSF web page, and signing up for email updates. This resource document has important information for staying current on NIST’s CSF 2.0 for businesses and organizations using and considering use of the CSF. NIST’s email updates are particularly helpful.

Litigation & Enforcement:  

• CrowdStrike Faces Lawsuit From Delta: On Oct. 25, Delta filed a lawsuit against CrowdStrike stemming from the outage that caused massive travel disruptions in July 2024. The lawsuit was filed in Fulton County Superior Court in Georgia.  Delta called CrowdStrike’s software update faulty and “catastrophic,” and that CrowdStrike “forced untested and faulty updates to its customers, causing more than 8.5 million Microsoft Windows-based computers around the world to crash.”  Delta is seeking over $500 million in out-of-pocket losses as well as recovery for lost profits, reputational harm, other costs, and attorneys’ fees.CrowdStrike responded by filing its own lawsuit in federal court in Georgia seeking a declaration that CrowdStrike did not act grossly negligent or commit willful misconduct, and that the parties’ contract, which contains clauses limiting liability and excluding certain damages, applies.
• California Court Bars Pixel Claims Against Delta As Preempted By Federal Law: A federal District Court held that privacy claims in a putative class action against Delta Airlines were preempted by the federal Airline Deregulation Act. The plaintiffs claimed that Delta violated their privacy by sharing their personal data with Facebook through Facebook’s tracking pixel.  Delta claimed that the plaintiff’s claims were preempted under the Airline Deregulation Act because the allegations “relat[ed] to . . . services of” Delta.  The court found that the plaintiffs alleged that they provided their personal data to Delta when booking, purchasing, and reserving travel.  The court held that such allegations were related to Delta’s services and, thus, were within the purview of the Airline Deregulation Act and the plaintiffs state law claims for breach of contract and violation of the California Invasion of Privacy Act based on those allegations were therefore preempted.
• SEC Fines Four Cybersecurity Companies for Filing Misleading Public Disclosures: On Oct. 22, the SEC announced that it had charged Unisys, Avaya, Check Point and Mimecast with filing public disclosures that minimized the effect of the SolarWinds related cybersecurity incidents on their companies. All four organizations learned that they were affected by intrusions into their environment that were related to SolarWinds. According to the release, Unisys experienced two such intrusions and knew that the unauthorized access resulted in the exfiltration of gigabytes of data, but their disclosure framed the threat from SolarWinds related incidents as hypothetical. The SEC also said that Avaya’s disclosure was phrased to imply that an unauthorized user was only able to access a limited number of emails, when Avaya knew the unauthorized user was also able to access 145 files in its cloud environment. The SEC noted that Check Point knew it suffered an intrusion but described the risk of an intrusion in generic and hypothetical terms. The SEC said that Mimecast minimized the impact of the incident by not including key details of their intrusion, including the nature of the code that was exfiltrated and quantity of credentials that were compromised. The companies agreed to settle the claims for fines ranging from $990,000 to $4 million and agreed to cease further violations.
• Marriott Settles with FTC and State Attorneys General Over Breaches that Occurred Between 2014 and 2020: Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC (collectively, “Marriott”) entered into settlements with the Federal Trade Commission (“FTC”) as well as the Attorneys General of 49 states and the District of Colombia over claims related to security failures that led to at least three breaches between 2014 and 2020. The breaches collectively involved the theft of over 340 million consumer records containing information such as consumer passports and payment and loyalty card numbers. As part of the settlement with the FTC, Marriott agreed to improve its cybersecurity program by developing or revising its policies and procedures, testing and monitoring its information security controls, limiting the data retained to only to what is needed, revising its privacy statements to be accurate to its practices, and having a third-party conduct information security assessments. Marriott also agreed to pay $52 million to settle the state Attorneys General actions.
• CPPA to Carry Out Data Broker Registry Audit: The California Privacy Protection Agency (CPPA) is stepping up enforcement against data brokers who did not register by Jan. 31, as required by California’s Delete Act. While the full law takes effect in 2026, the CPPA is enforcing earlier registration rules managed by the California attorney general’s office. Data brokers must register so consumers can monitor entities handling their data, a necessity in a growing data brokerage industry projected to reach $561 billion by 2029. Noncompliance incurs a $200 daily fine, potentially accumulating significant penalties. Enforcement includes an upcoming data deletion mechanism, set for August 2026, allowing consumers to request removal of their information. Collaborating with domestic and international regulators, including the FCC, CPPA aims to protect privacy across jurisdictions. Other states like Texas, Oregon, and Vermont are implementing similar broker regulations.
• Russian National Indicted for Series of Ransomware Attacks: The Justice Department has unsealed an indictment charging a Russian national for a series of attacks using the BitPaymer ransomware variant which impacted many victims throughout the US. The Russian national gained unauthorized access to information stored on networks, deployed the BitPaymer ransomware, and used it to encrypt files. The indicted individual was added to its list of specially designated nationals. The designation blocks property and interests in any property the designee may have in the United States and prohibits U.S. financial institutions from engaging in certain transactions and activities with the designated individual.

International Updates:  

• COSMOSPACE and TELEMAQUE fined by French Data Protection Authority:  On Sept. 26, the French Data Protection Authority, the Commission Nationale de l’Informatique et des Libertes (“the CNIL”) fined COSMOSPACE €250,000.00 and TELEMAQUE €150,000.00. COSMOSPACE and TELEMAQUE provide remote clairvoyance services and where issued fines for collection of sensitive data without valid consent, failing to comply with the rules governing commercial prospecting and excessive data retention. The quantum of the fines was decided by the Restricted Committee of the CNIL who took a number of factors into consideration including, the seriousness of the breaches, the number of data subjects affected, the sensitivity of the data processed and the financial situations of COSMOSPACE and TELEMAQUE.
• NIS2 Cybersecurity Directive Enters into Force: The Network and Information Systems Directive 2 has come into force in the EU as of Oct. 17. Whilst still requiring implementing legislation in most of the EU member states (including Germany, France, Spain and Ireland) it will set a new bar for cybersecurity and resilience standards across entities engaged in national infrastructure across 18 industry sectors. Overlapping to a degree with the financial services sector, which will also be captured within the DORA legislation, NIS2 establishes obligations on states, state bodies and the private sector when engaged in critical or important aspects of economic and social infrastructure activities, including personal liability at management level. The purpose is to establish a harmonized and connected approach across the EU so that threats can be rapidly communicated and responded to on a cross-border homogenous basis.
• Financial Services Cybersecurity & Resilience Legislation Coming into Force: The Digital Operational Resilience Act (“DORA”) is coming into force in the EU as of 17th January 2025, less than two months from now. It constitutes a significant raising of standards across cybersecurity, resilience and business continuity poise across the entire financial services industry, including insurance companies. While certain de minimus thresholds apply, it also expands obligations to 3rd Party ICT vendors who will undoubtedly be looking to bind their own supply chain with contractual obligations to match. It also provides for personal responsibility and liability for management including CEOs, directors and other responsible persons.

Industry Updates:  

• CISA, FBI, and NSA Issue Joint Advisory Regarding Increased Threat to Critical Infrastructure: The Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”), the National Security Agency, and some of their international partners have issued a joint advisory notice regarding ongoing threats to critical infrastructure Microsoft 365, Citrix, and other online environments. Iranian cyber actors have been seen using brute force attacks, such as password spraying and MFA “push bombing,” to gain access to online environments where they move laterally to obtain additional credentials and achieve persistence in the environments. They Iranian actors are then selling this information on cybercriminal forums for use in further malicious activity. The advisory provides additional information regarding the tactics, techniques, and procedures (“TTPs”) being used and mitigation steps organizations can take to protect themselves. This is of increased importance for critical infrastructure entities in the current geopolitical environment.
• Critical Veeam Vulnerability Exploited in Ransomware Attacks: A critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) is being actively exploited to deploy Akira and Fog ransomware. This flaw, rated 9.8 on the CVSS scale, allows unauthenticated remote code execution and affects outdated Veeam versions. Attackers gain initial access via compromised VPN credentials and create admin accounts to spread ransomware. Anyone utilizing Veeam for backup or replication is encouraged to update the software immediately using the patch available here.
• Study Shows Healthcare Practices Still Lag in Compliance: A recent study from Software Advice found that, despite HIPAA having been around for close to thirty years, more than 1/3 of medical practices could not point to an incident response plan. While there was also evidence of the adoption of better technological protections (like 89% of practices using tools like multi-factor authentication for at least some applications), significant gaps remained.
• Hiscox Report Shows CyberSecurity Trends: The annual Hiscox Cyber Readiness Report 2024 (“the Hiscox Report”) has unveiled a concerning trend among businesses with 60% or more in each of the countries surveyed reporting an increase in cyber attacks in the last 12 months. The Hiscox Report is in its eighth year and surveyed 2,150 security professionals including 400 in the United States and 250 each from the UK, Ireland, France, Germany, Spain, Belgium and the Netherlands to perform its analysis.The report found that the adoption of new technology, employees working remotely and increased use of personal devices for work are contributing to the rise in cyber-attacks. Additionally, 34% of the professionals surveyed admit that their cyber security measures are compromised due to a lack of expertise in managing the risks associated with emerging technologies. The report also reviews the amounts being spent on cyber security and plans companies have to increase security.
• National Public Data Files for Bankruptcy After Massive Data Breach: On Oct. 2, Florida-based data broker National Public Data filed for bankruptcy, citing the financial fallout from a significant data breach disclosed earlier this year. The breach, which compromised the personal information of millions, has led to numerous class-action lawsuits and regulatory actions from over 20 U.S. states and the Federal Trade Commission (FTC). National Public Data acknowledged it could not generate sufficient revenue to cover its mounting liabilities, and its insurer declined to provide coverage.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.