Insights Search

Two weeks ago, the Department of Justice (“DOJ”) announced two significant enforcement actions and shut down NetWalker and Emotet, powerful tools that had been used by alleged criminal networks engaging in widespread ransomware extortion schemes.

On November 9, 2020, the U.S. Federal Trade Commission (“FTC”) announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, to resolve claims that Zoom deceived users about the extent and nature of its software’s encryption and secretly installed software that circumvented a browser security safeguard.

In 2019, the Federal Bureau of Investigation (“FBI”) estimated that business email compromises, often carried out via email scams that trick businesses into making wire payments, have caused an estimated $1.7 billion in losses for businesses that fell victim to these schemes, which amounts to the highest out-of-pocket losses incurred from any class of cybercrime.^[1]

On September 29, 2020, the Department of Defense (“DoD”) issued an Interim Rule to supplement its Cybersecurity Maturity Model Certification (“CMMC”) program with a DoD Assessment Methodology.

On October 1, 2020, the Office of Foreign Assets Control (“OFAC”) issued guidance warning of potential sanctions risks for making ransomware payments related to malicious cybersecurity incidents.  The same day, the Financial Crimes Enforcement Network (“FinCEN”) issued an advisory related to the role of financial institutions in processing ransomware payments.

In June 2019, U.S. Customs and Border Protection (“CBP”) suspended a government contractor, Perceptics, LLC, after it suffered a highly publicized cyberattack that resulted in a breach of sensitive data collected from Government surveillance equipment used along the U.S. border.

General Counsel and in-house legal departments have long struggled with articulating the risk of and determining the appropriate response to breaches of the company network and the potential exposure of confidential information about employees and third parties. It’s rarely a simple question.

A recent order by a federal court in Virginia rejected arguments that a cybersecurity consultant’s data breach report, which had been prepared at the direction of outside legal counsel, qualified for work product protection.

In this final installment of our three-part series around questions for companies to consider during and after the COVID-19 pandemic, we will focus on the increased usage of outside service providers and on issues specific to reopening.

Last week, we discussed how the increased number of employees working remotely created new challenges for companies’ information governance and record retention policies and practices (Part One).

It’s no news to anyone at this point that work has drastically changed in response to COVID-19. Working from home, designating essential employees, wearing masks, checking temperatures, and making other adaptations are common and expected.

When a person who is authorized to access information on a computer for certain purposes accesses the information for another, improper purpose, does that amount to a federal crime?