(July 12, 2023) – Consider This
SEC Needs Another Second. On June 6, 2023, the U.S. Securities and Exchange Commission (SEC) received feedback from industry stakeholders regarding its proposed cybersecurity rules, delaying provision of the final rules until October 2023. Certain banking groups criticized the rules for being too complicated and creating potential enforcement and litigation traps. Wall Street reform groups lauded the rules.
Bipartisan Bill Aimed To Help Hospitals On Life Support. On June 14, 2023, the Senate Homeland Security and Governmental Affairs Committee approved legislation to assist rural hospitals in contending with cybersecurity personal shortages.
Reduce The Attack Surface, And That's An Order. On June 15, 2023, the Cybersecurity and Infrastructure Security Agency issued an order revealing that federal agencies will have 14 days to respond to any reports from CISA about misconfigured or Internet-exposed networking equipment. The directive applies to any networking devices — such as firewalls, routers, and load balancers — that allow remote authentication or administration.
NYDFS, Take Two. On June 28, 2023, the New York State Department of Financial Services (NYDFS) published its proposed second amendment to the existing cybersecurity requirements for banks, insurance companies, and other financial services institutions. Among other proposed changes, the amendment will impose new (1) obligations on "Class A" companies, (2) notification requirements, (3) governance obligations, and (4) enforcement provisions. The comment period for this second amendment closes in August 2023.
Zero Vulnerability
Barracuda Hits a Sour Patch. Barracuda advises customers to replace – and not simply patch – the compromised Email Security Gateway appliances.
Move It MOVEit. The Clop Ransomware Group began exploiting the critical SQL injection vulnerability in MOVEit Transfer on May 27 and in some cases has taken data within minutes of deploying the web shells.
As The World Turns
Airbnb For Email? To help reduce the time and cost of creating email accounts for large spam campaigns, cybercriminals are now paying individuals to rent access to their email accounts.
Numbers Don't Lie. Obvious news item of the day: Cybercrime is up. According to the FBI Internet Crime Report, cyber losses in 2002 reached $10.3 billion.
Ransomware Costs Rise. The second obvious news item of the day: The average cost of a ransomware attack increased.
Open RDP Honeypot Stings Would-Be Threat Actors. GoSecure researchers created a honeypot to attract threat actors. The research revealed over 37,000 daily attacks and nearly 3.5 million login attempts.
USA! USA! According to Abnormal Security, between June 2022 and May 2023, European organizations experienced a higher volume and frequency of BEC attacks compared to those in the U.S.
Did You Know?
You can subscribe to or visit Vulnerability Bulletins for Cybersecurity and Infrastructure Security Agency to obtain a weekly summary of new vulnerabilities.
Privacy Corner
CCPA Enforcement Delayed. Despite the scheduled implementation of the California Privacy Rights Act (CPRA) regulations on July 1, 2023, a tentative ruling by the Superior Court for the County of Sacramento on June 29, 2023 has temporarily prevented the California Privacy Protection Agency (CPPA) from enforcing the CCPA regulations for one year after their enactment.
Now In Effect:
Colorado Privacy Act. On July 7, 2021, Governor Polis signed Senate Bill 21-190: Protect Personal Data Privacy establishing the Colorado Privacy Act (CPA). The proposed draft rules for the CPA were published by the Secretary of State on Oct. 10, 2022, and the final rules were filed with the Secretary of State on March 15, 2023. The CPA is a part of the State of Colorado's Consumer Protection Act and went into effect on July 1, 2023. The Attorney General's Office and District Attorneys have sole enforcement power under the CPA. Each violation of the CPA is a deceptive trade practice that can result in a civil penalty of $20,000.
Connecticut Data Privacy Act. On May 10, 2022, Governor Ned Lamont signed Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or CTDPA). The CTDPA took effect on July 1, 2023. The Attorney General has exclusive authority to enforce violations of CTDPA. Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.
US finalizes EU-US Data Privacy Framework Requirements, Awaits EU Adequacy Decision. U.S. Secretary of Commerce Gina Raimondo issued the following statement regarding the European Union-U.S. Data Privacy Framework: "Today, the United States has fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (EU-U.S. DPF) announced by President Joe Biden and European Commission President Ursula von der Leyen in March 2022. This represents the culmination of months of significant collaboration between the United States and the EU and reflects our shared commitment to facilitating data flows between our respective jurisdictions while protecting individual rights and personal data.
Keep An Eye Out For:
Delaware Personal Data Privacy Act (DPDPA). On June 30, the Delaware General Assembly approved a comprehensive privacy bill, HB 154. This bill applies to businesses that manage or handle personal data from over 35,000 consumers or generate 20% of their revenue by selling the data of more than 10,000 consumers. Nonprofit organizations are not exempted under this bill, and it includes a 60-day cure provision that will expire on December 31, 2025. Subject to the governor's approval, HB 154 will come into effect on January 1, 2025.
Utah Consumer Privacy Act. On March 24, 2022, Gov. Spencer Cox, R-Utah, signed the Utah Consumer Privacy Act (UCPA) into law. The law goes into effect on Dec. 31, 2023. The scope of the UCPA is more narrow compared to other state privacy laws due to the annual revenue threshold requirement of $25,000,000.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
