On August 22, 2024, the United States Department of Justice (“DOJ”) filed a complaint-in-intervention in a whistleblower lawsuit brought against Georgia Institute of Technology (“Georgia Tech”) and Georgia Tech Research Corporation (“GTRC”) asserting claims under the False Claims Act (“FCA”) and federal common law based on allegations that Georgia Tech and GTRC failed to meet cybersecurity requirements mandated by U.S. Department of Defense (“DoD”) contracts and DoD regulations.
In United States ex rel. Craig v. Georgia Tech Research Corp, et al., which is pending in the United States District Court for the Northern District of Georgia, the DOJ alleges that, from as early as May 2019, Georgia Tech and GTRC, an affiliate of Georgia Tech that contracts with government agencies for work to be performed at Georgia Tech, failed to enforce cybersecurity regulations in order to allegedly “accommodate ‘researchers [who were] pushing back’ on cybersecurity compliance because they found it burdensome.” The complaint-in-intervention further alleges that, until at least February 2020, “Georgia Tech failed to enforce basic cybersecurity at the Astrolavos Lab” despite the lab possessing “nonpublic and sensitive DoD information.” It is also alleged that, even after Astrolavos Lab implemented a system security plan, Georgia Tech and GTRC “failed to: (1) assess the system on which the Astrolavos Lab processed, stored or transmitted sensitive DoD data using DoD’s prescribed assessment methodology; and (2) provide to DoD an accurate summary level score for Astrolavos Lab to demonstrate the state of the lab’s compliance with applicable cybersecurity regulations.” The submission of a summary level score is a “condition of contract” for most DoD contracts.
The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.
In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals.
As a privacy officer, what keeps you up at night?
Is it the ransomware boogeyman, or perhaps the data breach creeps?
Whatever it may be, Epstein Becker Green litigators J.T. Wilson III, Stuart Gerson, and Brian Cesaratto are here to shed light on the subject in this episode of Speaking of Litigation.
On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”). New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.
Scope and Exemptions
SB 332 imposes obligations on “controllers” – entities or individuals that determine the purpose and means of processing personal data – that ...
On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment to the Safeguards Rule that requires non-banking financial institutions (e.g., mortgage companies, mortgage brokers, and creditors) to notify the FTC when certain data breaches and other security events occur. The Safeguards Rule, promulgated by the FTC in 2002, has long required non-banking financial institutions to create, implement, and maintain a comprehensive security program to keep the information and data of its customers safe. Now, if one of these institutions suffers a security ...
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.
Last week, blockchain analysis firm, Chainalysis, held its annual conference, Links 2023, in New York City, where private and public sector leaders met to discuss emerging issues impacting the blockchain, cryptocurrency, and digital asset space. The conference featured presentations from notable public and private sector leaders, including government regulators, enforcement bodies who investigate and assist in prosecuting virtual asset fraud, and executives from financial institutions.
On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.”[1] The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.
On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.
The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.
Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.
In a recent Press Release dated December 15, 2021, the Office of the Attorney General for the State of New Jersey (the “N.J. Attorney General’s Office”) announced the settlement, via consent order, of alleged HIPAA violations involving three, New Jersey based cancer treatment providers, In the Matter of RCCA MSO LLC, Regional Cancer Care Associates LLC, and RCCA MD LLC. Two key takeaways from this matter are that New Jersey based health care providers need to be wary of state as well federal authorities when it comes to information security and related policies and warrant substantial investments in cyber security.
There are cybersecurity lessons to be learned from high profile data breaches and the ensuing regulatory responses. The recent well-publicized Twitter hack is no different. According to the New York State Department of Financial Services (“NYSDFS”) investigation and report, on July 15, 2020, a 17-year old hacker and his accomplices easily misled Twitter’s employees into disclosing their credentials resulting in a breach of Twitter’s network and the hackers’ takeover of accounts assigned to high-profile users in just a 24-hour period. The NYSDFS concluded that ...
Blog Editors
Recent Updates
- Third Circuit Holds that the Public Disclosure Bar Precludes Qui Tam Actions Based on Information Available on Publicly Accessible Databases
- Supreme Court of Ohio Rules on a Peer-Review Privilege Issue in Stull v. Summa
- Agency Actions Remain Judicially Unreviewable Where Congress Has Legislated Clear Agency Authority - SCOTUS Today
- The Loper and Jarksey Era: Agency Power to Award Civil Penalties in SEC and FINRA Under Increased Scrutiny
- Navigating Regulatory Challenges in the Dietary Supplement Industry: Insights on NJ Assembly Bill No. 1848