FCC Adopts Updated Data Breach Notification Rules

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Small Businesses Don’t Recognize Risk of Cyberattack Despite Repeated Warnings

CNBC surveys over 2,000 small businesses each quarter to get their thoughts on the overall business environment and their small business’ health. According to the latest CNBC/SurveyMonkey Small Business Survey, despite repeated warnings by the Cybersecurity and Infrastructure Security Agency and the FBI that U.S.- based businesses are at an increased risk of a cyber-attack following Russia’s invasion of Ukraine, small business owners do not believe that it is an actual risk that will affect them, and they are not prepared for an attack. The latest survey shows that only five percent of small business owners reported cybersecurity to be the biggest risk to their company.

What is unfortunate, but not surprising, is the fact that this is the same percentage of small business owners who recognized a cyber attack as the biggest risk a year ago. There has been no change in the perception among business owners, even though there are repeated, dire warnings from the government. Also unfortunate is the statistic that only 33 percent of business owners with one to four employees are concerned about a cyber attack this year. In contrast, 61 percent of business owners with more than 50 employees have the same concern.

According to CNBC, “this general lack of concern among small business owners diverges from the sentiment among the general public….In SurveyMonkey’s polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.” CNBC’s conclusion is that there is a disconnect between business owners’ appreciation of how much customers care about data security and that “[s]mall businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.” Statistics show that threat actors are targeting small to medium-sized businesses to stay under the law enforcement radar. With such a large target on their backs, business owners may wish to make cybersecurity a priority. It’s important to keep customers.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

FBI and DHS Warn of Russian Cyberattacks Against Critical Infrastructure

U.S. officials this week warned government agencies, cybersecurity personnel, and operators of critical infrastructure that Russia might launch cyber-attacks against Ukrainian and U.S. networks at the same time it launches its military offensive against Ukraine.

The FBI and the Department of Homeland Security (DHS) warned law enforcement, military personnel, and operators of critical infrastructure to be vigilant in searching for Russian activity on their networks and to report any suspicious activity, as they are seeing an increase in Russian scanning of U.S. networks. U.S. officials are also seeing increased disinformation and misinformation generated by Russia about Ukraine.

The FBI and DHS urged timely patching of systems and reporting of any Russian activity on networks, so U.S. officials can assess the threat, assist with a response, and prevent further activity.

For more information on cyber incident reporting, click here.

Even though a war may be starting halfway across the world, Russia’s cyber capabilities are global. Russia has the capability to bring us all into its war by attacking U.S. government agencies and companies. We are all an important part of preventing attacks and assisting others from becoming a victim of Russia’s attacks. Closely watch your network for any suspicious activity and report it, no matter how small you think it is.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

FBI Issues Cyber Attack Alert Against Tokyo Olympics Service Providers

On July 19, 2021, the Federal Bureau of Investigations issued a Private Industry Notification to service providers and “entities associated with the Tokyo 2020 Summer Olympics that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak or hold hostage sensitive data, or impact public or private digital infrastructure supporting the Olympics.”

According to the Notification, “Malicious activity could disrupt multiple functions, including media broadcasting environments, hospitality, transit, ticketing, or security.”

The Notification points out that large events attract extra attention from cybercriminals and nation-state actors such as the attacks during the 2018 PyeongChang Winter Olympics. The FBI indicted Russian-based actors for intrusions during the Winter Olympics, including one that disrupted the Opening Ceremony.

The FBI encourages “service providers and other relevant partners to maintain business continuity plans to minimize essential service interruptions, as well as preemptively evaluate potential continuity and capability gaps…the FBI encourages regularly monitoring networks and employing best practices.” The Notification then provides details on what those best practices are.

Frankly, the list of best practices provided by the FBI are best practices for all companies, including those supporting the Tokyo Olympics.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.

For more articles on cybersecurity, visit the NLRCommunications, Media & Internet section.

A Lawyer, C.I.A. Analyst and a Crisis Management Specialist Walk Into a Bar…

Before James Comey headed up the F.B.I., he served as general counsel of Lockheed Martin Corporation. While at Lockheed, he spoke at the National Security Agency about how studying law is similar to the education intelligence analysts receive. “You read a case and decipher…relevant facts, the [outcome] of the case…you are drilled on your reasoning, challenged by other interpretations…clear writing matters…facts matter.”  He went on to praise legal training “because it is an extraordinarily valuable tool in the world of intelligence.”

He elaborated on what he called a “uniquely lawyerly ability…to transport ourselves to another time and place. The ability to present facts to an imaginary future fact-finder, in an environment very different from the one in which we face current crisis and decision…we know that our actions, and those of the agencies we support, will be held up in a quiet, dignified, well-lit room, where they can be viewed with the perfect, and brutally unfair, vision of hindsight.”

Comey talked about how lawyers “must know how to say both ‘yes’ and ‘no,’ even when ‘no’ must be spoken into a storm of crisis, with loud voices all around, with lives hanging in the balance…and often, ‘no’ must be spoken in competition with the voices of other lawyers who do not have the courage to echo it.”

While I find Mr. Comey’s short remarks to be thoughtful and on target, I do take exception to his assertion that presenting facts to an imaginary future fact-finder is “uniquely lawyerly.”  I would argue that same skill set is present in the men and women who practice the specialized art and craft of crisis management and crisis communications.  They, too, must be able to quickly perform a situation analysis (often within the fog of information overload), look for connections and quickly play out a variety of scenarios, also knowing they will be second-guessed if things go awry.  And just as important as lawyers giving red light-green light counsel, so must crisis management counsel be able to take a stand – and speak truth to power.

Bad things do happen to good people, to good companies, agencies, nonprofits, schools and hospitals.  But as Greek philosopher Epictetus said, “It’s not what happens to you, but how you react to it that matters.”  And when those things do happen, it’s important to have both lawyers and seasoned crisis managers in the room, each with the ability to say “yes” or “no” with conviction, backed up with the kind of experience that can’t be found in a book.

In that talk at the National Security Agency, Comey said, “It takes far more than a sharp legal mind to say ’no’ when it matters most.  It takes moral character.  It takes an ability to see the future.  It takes an appreciation of the damage that will flow from an unjustified ‘yes’ (and) when it can be, to ‘no’ when it must be.”

I couldn’t agree more.


© 2020 Hennes Communications. All rights reserved.

See the National Law Review Law Office Management section for similar topics.

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.


©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

British Member of “The Dark Overlord” Hacking Organization Extradited to Face Conspiracy and Identify Theft Charges in the United States

Beginning in 2016, the computer hacking organization known as “The Dark Overlord,” began to target victims in the St. Louis, Missouri area, including various health care providers, several accounting firms, and a medical records company.  By remotely accessing these victims’ computer networks without authorization, The Dark Overlord was able to obtain sensitive records and information, which it then threatened to release unless the companies paid a ransom in bitcoin.

Following a lengthy investigation conducted by the Federal Bureau of Investigation and British authorities, United Kingdom national Nathan Wyatt was extradited to the United States and appeared before a federal district court in eastern Missouri on Wednesday, December 18, 2019, to face charges of aggravated identity theft, threatening damage to a protected computer, and conspiracy.  While Wyatt is the first member of The Dark Overlord to face prosecution, government officials have expressed a hope that this will signal to other cyber hackers targeting American companies that they will not be able to use territorial borders to evade justice and prosecution by the United States.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

Privacy Tip #219 – FBI Considers FaceApp a Counterintelligence Threat

For those of you who have downloaded the face editing app FaceApp, please note that the Federal Bureau of Investigation (FBI) has classified FaceApp as a counterintelligence threat because of its Russian origins.

According to the FBI, “[T]he FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data the product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia’s borders.”

When the FBI considers an app a security threat to the U.S., we all should. Downloading apps, in general, is risky, but downloading apps based in foreign countries that are trying to obtain information about U.S. citizens – and in fact are obtaining information from unwitting U.S. citizens – is potentially putting us in danger.

Now is the time to perform app hygiene. Check the apps on your phone to determine whether you are using them or not. If you aren’t using them, delete them. There is no reason to continue to allow them to collect your information if you are not using them and getting a benefit from them. If you are using them and can’t live without them, do some due diligence to determine the background of the app, read the Privacy Policy and Terms of Use to know what they are collecting and using about you, and delete the app if your gut tells you something’s not right. If you have downloaded FaceApp, that would be the first one to delete.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

FBI’s Choice of Contractors Not as Good as Its Crime Solving/Terrorist Tracking

fbibuilding jedgar hoover.jpgThe FBI is very good at tracking down terrorist threats and catching criminals. It appears, however, that it needs some help in choosing contractors to support its mission.

The FBI wanted a contractor for its Name Check and Freedom of Information Act (FOIA)/Declassification programs. Specifically, the FBI needed personnel to conduct research and to provide analysis and reporting services. The FBI decided to procure these services under the Federal Supply Schedule (FSS) using streamlined procedures. So, the FBI issued a Request for Quotations (RFQ) with these labor categories: research analysts; program managers, general consultants; and legal administrative assistants. That much is clear.

The rest is less clear. Apparently, the FBI selected a contractor that did not have the required personnel. Instead of personnel with experience in paralegal, records management and declassification review, the FBI got personnel with capabilities in the development of business methods and identification of best practices. That’s according to the Government Accountability Office (GAO) decision in US Investigations Services, Professional Services Division, Inc., B-410454.2, Jan. 15, 2015, 2015 CPD ¶ 44.

That case was cited by GAO’s general counsel, Susan A. Poling, recently in the GAO Bid Protest Annual Report to Congress for Fiscal Year 2015. Ms. Poling cited to US Investigations Services as an example of GAO’s Most Prevalent Grounds for Sustaining Protests. GAO notified Congress that “unreasonable technical evaluation” was no. 5 on the list and described the decision as follows: “finding that the agency erred in concluding that the labor categories included on the awardee’s Federal Supply Schedule contract encompassed the requirements of the task order.”

Contractors can learn valuable lessons from this case. First, don’t leave the Government hanging. Make sure the labor categories in your proposal match the categories listed in the Solicitation. If there is not a direct match, make sure you explain how your personnel fit the requirements. For task orders under FSS contracts, the law is clear. All solicited labor categories must be on the successful offeror’s FSS contract. Here, maybe the awardee was surprised that it won. More likely, the awardee just failed to explain what it was offering. That was fatal. If you can’t explain how your labor categories fit the RFQ requirements, maybe you should take a pass on the bid.

For protesters and disappointed bidders, this case demonstrates a solid ground for protest. In truth, you probably already know what your competitors are offering, at least when it comes to FSS contract offerings. A quick check on www.GSAAdvantage.gov after you receive an award notice is always a good idea.

Footnote: Although GAO sustained USIS’s protest, the FBI had overridden the automatic stay of performance. Thus, GAO made alternative recommendations to the FBI. Under one scenario, the FBI could consider awarding the task order to USIS but first it had more work to do. That is because in a different protest GAO had questioned an agency’s affirmative determination of USIS’s responsibility in the face of fraud allegations against USIS’s parent company. So, if the FBI was to select the “next in line” bidder, it would have to be careful that the bidder was eligible to perform the work. Otherwise, it could be back to the drawing board.

Article By Michael D. MaloneyCharles R. Lucy & Diego G. Hunt of Holland & Hart LLP

Copyright Holland & Hart LLP 1995-2016.