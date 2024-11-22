Publications & Advisories

Selected U.S. Privacy & Cyber Updates

CISA, FBI, NSA, and International Partners Issue Joint Cybersecurity Advisory for Top Routinely Exploited Vulnerabilities in 2023

On November 12, 2024, the CISA, FBI, NSA, and several international partners (including the Australian Signals Directorate's Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team, and the United Kingdom's National Cyber Security Centre) published a joint cybersecurity advisory identifying the top vulnerabilities routinely exploited by malicious threat actors in 2023.

CPPA Board Advances CCPA Regulations to Formal Rulemaking; Adopts New Data Broker Regulations

On November 8, 2024, the California Privacy Protection Agency (CPPA) board advanced to formal rulemaking the CCPA draft regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance. The CPPA board also adopted the California Delete Act proposed regulations, which clarify data broker registration requirements and provide definitions for key terms under the Delete Act.

Congressional Research Service Report Sheds Light on October Telecommunications Attack by PRC-Linked Threat Actor

In early October 2025, several media outlets reported that U.S. telecommunications services had been infiltrated by state-affiliated threat actors linked to the People's Republic of China (PRC). These reports were followed by a joint press release on October 25, 2024 by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency stating that the government is investigating “the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China.” Several days later, on October 29, 2024, the Congressional Research Service issued an updated report stating that the PRC state-sponsored hacker group dubbed “Salt Typhoon” by security researchers was reportedly responsible for the attack on U.S. telecommunications companies in early October 2024. According to the report, Salt Typhoon appears “to have conducted counterintelligence operations, seeking information on PRC targets that the United States may be surveilling.” Typhoon is a moniker given by Microsoft, but further adopted by U.S. law enforcement agencies, that refers to threat actors with PRC state sponsorship. Presently, there are three specific groups labeled with the Typhoon moniker – Flax Typhoon, known for using Internet of Things devices as an entry point to target Taiwanese and U.S. critical infrastructure; Volt Typhoon, known for using stealth and espionage to prepare for potential future disruptions of U.S. critical infrastructure; and Salt Typhoon, known for conducting espionage and counterintelligence.

Combatting the New Insider Threat: North Korean IT Workers Posing as Remote Employees

On November 1, 2024, the New York Department of Financial Services (NYDFS) issued a cybersecurity advisory on a growing threat posed by North Korean operatives seeking remote IT roles at U.S. companies. These operatives secure jobs at prominent companies, generate revenue for the regime, and have the potential to expose sensitive corporate data. These highly sophisticated threat actors use a range of tactics to disguise their identities and infiltrate businesses, posing significant security risks. This alert consolidates critical information from the NYDFS and FBI on the tactics used by these actors, the vulnerabilities they exploit, and recommended steps for companies to mitigate these threats.

Massachusetts Top Court Torpedoes Website Analytics Wiretapping Class Action

On October 24, 2024, in a long-awaited decision in Vita v. New England Baptist Hospital, Massachusetts's highest court snuffed out an attempt to use the state's 1968 Wiretap Act to impose liability on a hospital system for its use of third-party analytics technologies on its website. The case had been closely watched by the business community, including amicus briefing by the U.S. Chamber of Commerce expressing concerns that an opposite holding could have imposed “crippling and virtually unlimited liability” under the state's Wiretap Act for “injury-less claims.”

Summary of Changes from DoD CMMC Proposed Rule to Final Rule

On October 11, 2024, the Department of Defense issued its Final Program Rule for the Cybersecurity Maturity Model Certification (CMMC) Program. The Final Rule is a signal to federal contractors to develop compliance programs pertaining to CMMC before the implementation of the program (likely next year).

SEC 2025 Examination Priorities Indicate Sustained Focus on Cybersecurity & Data Protection

The SEC has released its Examination Priorities: Fiscal Year 2025, which may be a useful roadmap to SEC-registered investment advisers, exchanges, and other entities subject to routine examination by the SEC Division of Examinations. The examination priorities represent the division staff's identification of areas of heightened risks to investors and the integrity of the U.S. capital markets, based on prior years' examinations, market events, information gathered from conversations with investors and industry groups, and information from other regulators. Although the examination priorities are not a comprehensive list of the issues that the division will scrutinize in examinations, as in prior years, information security and operational resiliency remain a focus.

President Biden Signs First National Security Memorandum Focused on AI

On October 24, 2024, President Biden signed the first-ever National Security Memorandum (NSM) focused on artificial intelligence, pursuant to subsection 4.8 of Executive Order 14110. The NSM provides guidance on developing, employing, and strengthening AI usage within the federal government. The NSM outlines three main objectives that serve as guideposts in directing the U.S. government in “appropriately harnessing … AI models and AI-enabled technologies.”

NYDFS Issues Guidance on Artificial-Intelligence-Related Cybersecurity Risks

On October 16, 2024, the NYDFS issued an industry letter, Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks. The letter contains guidance for entities regulated by the NYDFS in assessing and responding to cybersecurity risks related to the use of AI, specifically the use of AI by threat actors and the risks posed by a covered entity's AI systems.

DOJ Unseals Indictment of Evil Corp Member, While OFAC Announces New Evil Corp Sanctions

On October 1, 2024, the Department of Justice (DOJ) unsealed an indictment against Aleksandr Viktorovich Ryzhenkov, a member of the ransomware group Evil Corp. The indictment charges Ryzhenkov with several violations of the Computer Fraud & Abuse Act, as well as conspiring to commit money laundering, arising from his use of a ransomware strain called “BitPaymer.” In addition to his alleged work with Evil Corp, the UK's National Crime Agency has reported that Ryzhenkov is also a suspected affiliate of LockBit, another ransomware group that the FBI disrupted in February 2024 and that saw the DOJ indict one of its leaders in May 2024.

NIST Releases Updated Draft Guidelines Regarding AI Use in Identity Systems

On August 21, 2024, the National Institution of Standards and Technology (NIST) released the second draft of its Digital Identity Guidelines, which provides federal agencies with a framework for identity-proofing and authentication of external employees, government contractors, and individuals accessing government information systems and services. Building on the first draft of the guidance, the second draft expands on requirements for risk management, identity-proofing models, authentication protocols, and safeguards for detecting and preventing fraud.

Ransomware Activity Trends in Q2 2024

Ransomware attacks are hitting record highs in 2024 and show no sign of slowing down as new criminal groups enter the scene and employ a variety of evolving tactics. Multiple recent security reports have reported a significant increase in ransomware attacks claimed by criminal groups in Q2 2024, making it the second-highest quarter on record for claimed attacks.

California Joins the Neural Data Bandwagon

On August 31, 2024, the California legislature passed SB 1223, which amends the CCPA/CPRA to include “neural data” as a type of sensitive data. SB 1223 defines “neural data” as “information that is generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information.” California follows Colorado as the second state to include neural data as a category of sensitive data under its state comprehensive privacy law.

New Joint CISA–FBI–DC3 Guidance Advises on Ransomware Threats Linked to Iran-Backed Hackers: What Enterprises Need to Know

On August 28, 2024, the CISA, FBI, and Department of Defense Cyber Crime Center (DC3) released a joint advisory warning of increased collaboration between Pioneer Kitten, an Iranian state-backed threat actor, and various ransomware groups. The advisory highlights how Iranian threat actors are leveraging relationships with affiliates of NoEscape, Ransomhouse, and the defunct ALPHV/ BlackCat to launch attacks more efficiently.

Department of Justice Intervenes in Cybersecurity Qui Tam Action Against Georgia Tech

On August 22, 2024, the DOJ filed a complaint in intervention in the case of United States v. Georgia Tech. This lawsuit, which was originally filed under seal by relators Christopher Craig and Kyle Koza on July 8, 2022, concerns the cybersecurity program that Georgia Tech, acting under a federal government contract, is required to maintain for its work in federal defense research. The DOJ's intervention in the Georgia Tech case marks the first time that the DOJ has intervened to litigate a cybersecurity-based lawsuit under the False Claims Act, commonly referred to as a qui tam action.

California Passes Generative AI ‘Training Transparency' Bill

On August 27, 2024, the California state legislature passed AB 2013 and sent it to Governor Gavin Newsom for signature. If signed, AB 2013 would require companies that make generative AI systems and services publicly available to Californians to post documentation on their websites about the data used to train Gen AI systems and services. This documentation would need to be posted by January 1, 2026. [editors' note: AB 2013 was signed by the governor on September 28.]

U.S. Cybersecurity and Infrastructure Security Agency Issues Joint International Guidance for Event Logging and Threat Detection

On August 21, 2024, the CISA, alongside government agencies of key global allies, including Australia, the UK, Canada, and Japan, released guidance on event logging and threat detection best practices. The guidance was published in response to the increased prevalence of threat actors employing Living off the Land techniques to evade detection.

New York Attorney General Investigates Companies for Website Tags, Publishes Guidelines on Online Tracking Technologies

On July 30, 2024, New York Attorney General Letitia James announced she had completed an investigation into the tracking technology practices of popular websites and used this announcement to create website privacy guides on online tracking for New York businesses and consumers, the Business Guide and Consumer Guide. The Business Guide is directed to companies providing services to New York consumers and explains how businesses can identify and prevent common issues when implementing cookies and other online tracking technologies. It also provides guidance on complying with New York online tracking law.

DOJ Continues to Investigate and Prosecute North Korean IT Worker Fraud Scheme

On August 8, 2024, the DOJ announced that it had charged a Nashville man for his alleged role in assisting North Korea with a scheme designed to funnel money from legitimate U.S.-based businesses through fraudulently hired remote IT workers. The DOJ warned that, through the use of stolen identities and remote desktop software, North Korean IT workers located throughout China and Russia have continued to circumvent international sanctions and obtain high-paying remote IT jobs for the purpose of raising revenue for the North Korean weapons of mass destruction program.

Selected Global Privacy & Cybersecurity Updates

Forthcoming UK Cyber Security and Resilience Bill to Boost the UK's Cyber Defenses

In the July 2024 King's Speech, the UK government announced its intention to introduce a Cyber Security and Resilience Bill to improve the UK's cyber defenses and protect essential public services. The announcement comes as companies and countries increasingly face attacks by cyber criminals and state actors, sometimes disrupting public services and infrastructure.

Singapore Cybersecurity Agency Publishes Guidelines on Securing AI Systems

On October 15, 2024, the Cyber Security Agency of Singapore (CSA) published Guidelines on Securing AI Systems alongside a Companion Guide for Securing AI Systems, which is intended to serve as support for the guidelines. In its announcement, the CSA states that while AI offers significant benefits for the economy and society, it is crucial to ensure AI systems behave as intended and that the cybersecurity risks are properly addressed. The CSA notes that AI should be secure by design and by default, and companies should take a proactive approach to managing security risks from the outset.

Green Light for the Enforcement of NIS 2 in Limited EU Countries Only

EU Member States had until October 17, 2024 to transpose the Network and Information Security (NIS) 2 Directive into their national laws. As directives are not directly applicable in EU Member States, the EU legislature required all 27 Member States to incorporate into their national laws the requirements of NIS 2 and to make them binding on covered entities within their jurisdictions. However, a large number of EU Member States have missed the transposition deadline.

EDPB Adopts Opinion on the Use of Processors and Subprocessors

On October 7, 2024, the European Data Protection Board (EDPB) adopted an opinion on obligations following from the use of processors and subprocessors. The EDPB is the body that seeks to ensure harmonized application of the EU GDPR across the European Economic Area (EEA) and is composed of the heads of the data protection authorities in each EEA state, as well as the European data protection supervisor. The opinion was rendered in response to questions posed by the Danish supervisory authority to the EDPB concerning controllers' obligations toward processors, as well as specific questions about the wording of processing contracts.

Belgian Data Protection Authority Publishes Guidance on the Interplay Between the GDPR and the AI Act

On September 19, 2024, the Belgian Data Protection Authority (DPA) issued new guidance on the interplay between the recently adopted EU Regulation on Artificial Intelligence (the AI Act) and the GDPR, which aims to provide further insight into the use of AI systems that process personal data.

EU Data Protection Regulators Publish Additional Guidance on the EU-U.S. Data Privacy Framework

In July 2024, the EDPB – which is composed of the national data protection authorities of the countries in the EEA, as well as the European data protection supervisor – adopted two FAQ documents for the EU-U.S. Data Privacy Framework (DPF) aimed at providing further insight into the functioning of the DPF. The European Commission considers transfers of personal data from the EEA to companies in the U.S. that are certified under the DPF to enjoy an adequate level of protection. As a result, personal data can be transferred freely from the EEA to U.S. by certified companies without the need to put in place additional data-transfer safeguards.

