Topic: Cybercrime

Subscribe to Cybercrime RSS feed

OFAC Announces New Measures to Address Ransomware Attacks

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Stefan H. Reisinger (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Stefan H. Reisinger (US) on Posted in Cybercrime, Cybersecurity, Ransomware

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem.  OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the SDN List; and (3) amending its earlier October 1, 2020 guidance to companies on the potential sanctions risks for facilitating ransomware payments.  OFAC’s summary of the additional sanctions designations is available here and its updated guidance is available here.

While OFAC has previously designated … Continue Reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

Photo of Chris Cwalina (US)Photo of Ashley Zatloukal (US)Photo of Anna Rudawski (US)By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions
Norton Rose Fulbright - Data Protection Report blog

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after the widely publicized Capital One decision, where plaintiffs were also forced to turn over a forensic report.

Work-Product Doctrine

With respect to defendant’s work-product arguments, the court found that the doctrine did not apply.  First, in the opinion of the court, the Kroll Report was … Continue Reading

NYDFS Requires COVID-19 Plans by April 9

Photo of Susan Ross (US)Photo of Kathleen Scott (US)By Susan Ross (US) and Kathleen Scott (US) on Posted in Compliance and risk management, Cybercrime, Cybersecurity, Dispute resolution and litigation, Enforcement, General
Norton Rose Fulbright - Data Protection Report blog

On March 10, 2020, the New York Department of Financial Services (NYDFS) issued guidance to all of its regulated institutions engaged in virtual currency business activity, requiring them to have plans for preparedness to manage the possible operational and financial risks posed by the COVID-19 pandemic. NYDFS requires the plans to be submitted by Thursday, April 9, 2020.… Continue Reading

Good news for employers, finally – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Photo of Steven Hadwin (UK)Photo of Marcus Evans (UK)Photo of Amanda Sanders (UK)By Steven Hadwin (UK), Marcus Evans (UK), Amanda Sanders (UK) and Janine Regan (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation
Norton Rose Fulbright - Data Protection Report blog

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.… Continue Reading

Data protection and cyber risk issues in arbitration – dealing with regulation, cyber attacks and hacked evidence

Photo of Pierre Bienvenu (CA)Photo of Ben Grant (UK)By Pierre Bienvenu (CA) and Ben Grant (UK) on Posted in Cybercrime, Cybersecurity, Data breach, Dispute resolution and litigation, General

The GDPR has significantly altered the landscape of data protection. Its broad scope and potentially severe penalties have forced those who hold and process data to take note of its provisions. In certain instances, that will include many in the international arbitration community, such as arbitral institutions. In parallel, cyber attacks and instances of hacking in the arbitration context have brought cyber security issues to the fore.

As a result, data protection and cyber security are now hot topics in international arbitration. A majority of respondents in the 2018 Queen Mary International Arbitration Survey listed “security of electronic communications and … Continue Reading

Cybersecurity and the SEC

Photo of Susan Ross (US)Photo of Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, Cybercrime
Data Protection Report - Norton Rose Fulbright

The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.… Continue Reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

Photo of Susan Ross (US)Photo of Alexis Wilpon (US)By Susan Ross (US) and Alexis Wilpon (US) on Posted in Compliance and risk management, Cybercrime, Data breach
Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. … Continue Reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

Photo of Stella Cramer (SG)Photo of Wilson Ang (SG)Photo of David Olds (SG)Photo of Jessica Paulin (SG)Photo of Jeremy Lua (SG)By Stella Cramer (SG), Wilson Ang (SG), David Olds (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on Posted in Cybercrime, Data breach, General

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.[1]   The new law creates a regulatory framework for the monitoring and reporting of cybersecurity threats to essential services in Singapore through the appointment of the Commissioner of Cybersecurity.  It also creates a licensing regime that will require certain data security service providers in Singapore to be registered.

We set out below four key points that you should know about this new Bill.… Continue Reading

Discovery of New Internet of Things (IoT) Based Malware Could Put a New Spin on DDoS Attacks

By on Posted in Compliance and risk management, Cybercrime
Norton Rose Fulbright - Data Protection Report blog

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter.

Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or IoTroop, has been discovered by researchers and could present a threat that could dwarf the 2016 attacks and create a major disruption to internet activity around the world.… Continue Reading

Singapore proposes changes to cybersecurity and data protection regimes

Photo of Stella Cramer (SG)Photo of Wilson Ang (SG)Photo of Magdalene Lie (UK)Photo of Jeremy Lua (SG)By Stella Cramer (SG), Wilson Ang (SG), Magdalene Lie (UK) and Jeremy Lua (SG) on Posted in Cybercrime, Data breach
Data Protection Report - Norton Rose Fulbright

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant impact on how companies manage personal data and secure their information systems.

This article seeks to summarise the proposed changes to the Singapore cybersecurity and data protection regulatory framework and provide some brief thoughts on how this may impact organisations operating in Singapore.… Continue Reading

New Global Cyberattack Affects Businesses, Government, and Infrastructure

By on Posted in Compliance and risk management, Cybercrime
Norton Rose Fulbright - Data Protection Report blog

A new strain of malware began infecting computer systems across the globe on Tuesday.  Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key.

Reports of infection began in Ukraine, where computer systems belonging to government ministries, financial institutions, transportation systems, and major energy companies began malfunctioning.  The attack was first believed to be caused by a variant of the “Petya” strain of ransomware, however recent reports from security Continue Reading

Large Ransomware Attack Affects Companies in Over 70 Countries

By on Posted in Compliance and risk management, Cybercrime
Norton Rose Fulbright - Data Protection Report blog

A large-scale ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning.  According to reports, companies in more than 70 countries have reported incidents as of Friday afternoon.

The attacks are being caused by ransomware called “WannaCry,” which quickly moves across systems to encrypt large amounts of computer data.  Ransom demands seen during the current attack have requested Bitcoin amounts that equal between $300 and $600 in return for the decryption key.  According to security researchers, the ransomware exploits a vulnerability in Microsoft’s Windows operating system that was disclosed in an … Continue Reading

Hong Kong: SFC consults on proposed measures to improve cyber security for internet trading of securities in Hong Kong

Photo of James Parker (HK)Photo of Anna Gamvros (HK)By James Parker (HK) and Anna Gamvros (HK) on Posted in Compliance and risk management, Cybercrime, Regulatory response

A two-month consultation on proposed measures to reduce and mitigate cyber security risks associated with internet trading of securities in Hong Kong (the Consultation) was launched on 8 May 2017 by the Securities and Futures Commission (the SFC).

The Consultation follows a recent review by the SFC of resilience of brokers in Hong Kong to cyber-attacks (such as the hacking of trading accounts, installation of ransomware and denial of service attaches) and is set against a backdrop of the increasing number of cyber security incidents to the financial services sector.

For further information please see this post on our Financial … Continue Reading

Singapore legal update: Firm warned for WhatsApp personal data disclosure

Photo of Magdalene Lie (UK)By Magdalene Lie (UK) on Posted in Cybercrime, Data breach, General

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group.

A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff and volunteers. The firm provides life and executive coaching services to individuals and corporate clients.

The case is the first in Singapore to find that sharing personal data via a private, members-only instant messaging group is still a breach of the Personal Data Protection Act … Continue Reading

Legal Implications of DDoS Attacks and the Internet of Things (IoT)

By on Posted in Cybercrime
Data Protection Report - Norton Rose Fulbright

Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against KrebsonSecurity and France-based hosting provider, OVH, in late September—each of which set records as the largest of these attacks in history. Most recently, nearly 900,000 Deutsche Telekom routers in Germany were attacked, causing significant internet and television outages across the country. … Continue Reading

UAE Outlaws Sales of Personal Data and Increases Fines for Companies

By on Posted in Compliance and risk management, Cybercrime
Data Protection Report - Norton Rose Fulbright

The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will increase the maximum penalty payable by organisations for criminal acts committed by their representatives.… Continue Reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

Photo of Daniel Leslie (CA)By Daniel Leslie (CA) on Posted in Compliance and risk management, Cybercrime
Data Protection Report - Norton Rose Fulbright

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn … Continue Reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By on Posted in Compliance and risk management, Cybercrime, Regulatory response
Data Protection Report - Norton Rose Fulbright

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.… Continue Reading

U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents

By on Posted in Compliance and risk management, Cybercrime, Regulatory response
Data Protection Report - Norton Rose Fulbright

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex).  The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure.  The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.… Continue Reading

The Intersection of Trademark Law and Cybersecurity

By on Posted in Cybercrime, General
Data Protection Report - digital privacy, CCPA and cybersecurity

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company can help to ensure that consumers are interacting with the intended party. As “squatted” domains and accounts are sometimes used to spread malware and collect sensitive information from emails sent to mistyped domain names, a company can help to improve cybersecurity and … Continue Reading

UAE Employees Jailed for Privacy Breach Before Ultimately Being Acquitted

By on Posted in Compliance and risk management, Cybercrime
Data Protection Report - Norton Rose Fulbright

A recently-reported court case in the United Arab Emirates has highlighted the importance of establishing and implementing good privacy practices, even in the absence of specific data protection legislation.

In late 2014, the UAE public prosecutor charged three officials from a federal authority – the general director, a branch manager and an IT manager – with violating privacy laws and breaching public security by placing CCTV cameras in a female customer service centre. The men argued that they had installed the cameras for security purposes and that the female employees were aware of the cameras. The men were initially held … Continue Reading

LexBlog