(July 12, 2023) – Consider This
SEC Needs Another Second. On June 6,
2023, the U.S. Securities and Exchange Commission (SEC)
received feedback from industry stakeholders regarding its proposed
cybersecurity rules, delaying provision of the final rules until
October 2023. Certain banking groups criticized the rules for being
too complicated and creating potential enforcement and litigation
traps. Wall Street reform groups lauded the rules.
Bipartisan Bill Aimed To Help Hospitals On Life
Support. On June 14, 2023, the Senate
Homeland Security and Governmental Affairs Committee approved legislation to assist rural hospitals in
contending with cybersecurity personal shortages.
Reduce The Attack Surface, And That’s An
Order. On June 15, 2023, the
Cybersecurity and Infrastructure Security Agency issued an order revealing that federal agencies will
have 14 days to respond to any reports from CISA about
misconfigured or Internet-exposed networking equipment. The
directive applies to any networking devices — such as
firewalls, routers, and load balancers — that allow remote
authentication or administration.
NYDFS, Take Two. On June 28,
2023, the New York State Department of Financial Services
(NYDFS) published its proposed second amendment to the existing cybersecurity
requirements for banks, insurance companies, and other financial
services institutions. Among other proposed changes, the amendment
will impose new (1) obligations on “Class A” companies,
(2) notification requirements, (3) governance obligations, and (4)
enforcement provisions. The comment period for this second
amendment closes in August 2023.
Zero Vulnerability
Barracuda Hits a Sour Patch. Barracuda advises customers to replace – and not
simply patch – the compromised Email Security Gateway
appliances.
Move It MOVEit. The Clop Ransomware Group began
exploiting the critical SQL injection vulnerability in MOVEit
Transfer on May 27 and in some cases has taken data within minutes
of deploying the web shells.
As The World Turns
Airbnb For Email? To help reduce the time and
cost of creating email accounts for large spam campaigns,
cybercriminals are now paying individuals to rent access to their email accounts.
Numbers Don’t Lie. Obvious news item of the
day: Cybercrime is up. According to the FBI Internet Crime Report, cyber losses in
2002 reached $10.3 billion.
Ransomware Costs Rise. The second obvious news
item of the day: The average cost of a ransomware attack increased.
Open RDP Honeypot Stings Would-Be Threat
Actors. GoSecure researchers created a honeypot to attract threat actors. The
research revealed over 37,000 daily attacks and nearly 3.5 million
login attempts.
USA! USA! According to Abnormal Security,
between June 2022 and May 2023, European organizations experienced
a higher volume and frequency of
BEC attacks compared to those in the U.S.
Did You Know?
You can subscribe to or visit Vulnerability Bulletins for Cybersecurity and
Infrastructure Security Agency to obtain a weekly summary of
new vulnerabilities.
Privacy Corner
CCPA Enforcement Delayed. Despite the scheduled
implementation of the California Privacy Rights Act (CPRA)
regulations on July 1, 2023, a tentative ruling by the Superior Court for the County of
Sacramento on June 29, 2023 has temporarily prevented the
California Privacy Protection Agency (CPPA) from enforcing the CCPA
regulations for one year after their enactment.
Now In Effect:
Colorado Privacy Act. On July 7, 2021, Governor
Polis signed Senate Bill 21-190: Protect Personal Data Privacy
establishing the Colorado Privacy Act (CPA). The proposed draft
rules for the CPA were published by the Secretary of State on Oct. 10,
2022, and the final rules were filed with the Secretary of
State on March 15, 2023. The CPA is a part of the State of
Colorado’s Consumer Protection Act and went into effect on July
1, 2023. The Attorney General’s Office and District Attorneys
have sole enforcement power under the CPA. Each violation of the
CPA is a deceptive trade practice that can result in a civil
penalty of $20,000.
Connecticut Data Privacy Act. On May 10, 2022,
Governor Ned Lamont signed Senate Bill 6: An Act Concerning
Personal Data Privacy and Online Monitoring (also known as The
Connecticut Data Privacy Act or CTDPA). The CTDPA took effect on
July 1, 2023. The Attorney General has exclusive authority to
enforce violations of CTDPA. Entities or individuals that violate
the CTDPA may face civil penalties up to $5,000 per violation. In
addition to civil penalties, the Attorney General can also seek
injunctive relief, restitution, and/or disgorgement.
US finalizes EU-US Data Privacy Framework Requirements,
Awaits EU Adequacy Decision. U.S. Secretary of Commerce
Gina Raimondo issued the following statement regarding the
European Union-U.S. Data Privacy Framework: “Today, the United
States has fulfilled its commitments for implementing the EU-U.S.
Data Privacy Framework (EU-U.S. DPF) announced by President Joe
Biden and European Commission President Ursula von der Leyen in
March 2022. This represents the culmination of months of
significant collaboration between the United States and the EU and
reflects our shared commitment to facilitating data flows between
our respective jurisdictions while protecting individual rights and
personal data.
Keep An Eye Out For:
Delaware Personal Data Privacy Act (DPDPA). On
June 30, the Delaware General Assembly approved a comprehensive
privacy bill, HB 154. This bill applies to businesses that
manage or handle personal data from over 35,000 consumers or
generate 20% of their revenue by selling the data of more than
10,000 consumers. Nonprofit organizations are not exempted under
this bill, and it includes a 60-day cure provision that will expire
on December 31, 2025. Subject to the governor’s approval, HB
154 will come into effect on January 1, 2025.
Utah Consumer Privacy Act. On March 24, 2022,
Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act (UCPA) into law. The
law goes into effect on Dec. 31, 2023. The scope of the UCPA is
more narrow compared to other state privacy laws due to the annual
revenue threshold requirement of $25,000,000.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.