Topic: Cybercrime

Cybersecurity and the SEC

By Susan Ross (US) and Alexis Wilpon (US) on October 31, 2018 Posted in Compliance and risk management, Cybercrime

Data Protection Report - Norton Rose Fulbright

The U.S. Securities and Exchange Commission (“SEC”) may not be the first agency that comes to mind with respect to cybersecurity, but the SEC has been in the headlines recently with respect to cyber fraud in particular. Earlier this month, the SEC promulgated a report urging companies to take preventive measures against cyber fraud.… Continue reading

FERC issues notice of proposed rulemaking to extend reporting requirements for cyberattacks targeting the energy sector

By Susan Ross (US) and Alexis Wilpon (US) on August 9, 2018 Posted in Compliance and risk management, Cybercrime, Data breach

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial … Continue reading

Retailers must upgrade online credit card processing security by June 30

By Susan Ross (US) on June 22, 2018 Posted in Compliance and risk management, Cybercrime

By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments.… Continue reading

Singapore passes new Cybersecurity Bill: Here’s what you need to know before it comes into force

By Stella Cramer (SG), Wilson Ang (SG), David Olds (SG), Jessica Paulin (SG) and Jeremy Lua (SG) on February 14, 2018 Posted in Cybercrime, Data breach, General

The Singapore Parliament passed the much discussed Cybersecurity Bill (the Bill) on 5 February 2018 and it is anticipated that the new law will come into force soon.… Continue reading

Discovery of New Internet of Things (IoT) Based Malware Could Put a New Spin on DDoS Attacks

By on November 3, 2017 Posted in Compliance and risk management, Cybercrime

Norton Rose Fulbright - Data Protection Report blog

Slightly over one year ago, several major distributed denial-of-service (“DDoS”) attacks took place, including a major event affecting the domain name service provider Dyn, which caused outages and slowness for a number of popular sites, including Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. Now, a new Internet of Things (IoT) botnet, called IoT Reaper, or … Continue reading

Singapore proposes changes to cybersecurity and data protection regimes

By Stella Cramer (SG), Wilson Ang (SG), Magdalene Lie (UK) and Jeremy Lua (SG) on September 25, 2017 Posted in Cybercrime, Data breach

In a bid to keep pace with advancements in the technological landscape, the Singapore Government has in recent months embarked on public consultations on its draft Cybersecurity Bill (the Cyber Bill) and its proposed amendments to Singapore’s Personal Data Protection Act (PDPA) to update the country’s data protection regime. These changes will have a significant … Continue reading

New Global Cyberattack Affects Businesses, Government, and Infrastructure

By on June 30, 2017 Posted in Compliance and risk management, Cybercrime

A new strain of malware began infecting computer systems across the globe on Tuesday. Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key. … Continue reading

WannaCry Ransomware Attack Summary

By on May 17, 2017 Posted in Compliance and risk management, Cybercrime

In this post, we summarize key facts regarding the WannaCry ransomware attack, provide an abbreviated list of known affected companies, and offer an overview of the legal issues and the response to the attack. This post is an update to our prior coverage of WannaCry.… Continue reading

Large Ransomware Attack Affects Companies in Over 70 Countries

By on May 12, 2017 Posted in Compliance and risk management, Cybercrime

A large-scale ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning. According to reports, companies in more than 70 countries have reported incidents as of Friday afternoon. The attacks are being caused by ransomware called “WannaCry,” which quickly moves across systems to encrypt large amounts of computer … Continue reading

Hong Kong: SFC consults on proposed measures to improve cyber security for internet trading of securities in Hong Kong

By James Parker (HK) and Anna Gamvros (HK) on May 12, 2017 Posted in Compliance and risk management, Cybercrime, Regulatory response

A two-month consultation on proposed measures to reduce and mitigate cyber security risks associated with internet trading of securities in Hong Kong (the Consultation) was launched on 8 May 2017 by the Securities and Futures Commission (the SFC). The Consultation follows a recent review by the SFC of resilience of brokers in Hong Kong to … Continue reading

Singapore legal update: Firm warned for WhatsApp personal data disclosure

By Magdalene Lie (UK) on April 5, 2017 Posted in Cybercrime, Data breach, General

Singapore’s Personal Data Protection Commission has on 21 March 2017 issued a warning to a local firm for disclosing a former employee’s personal information in a company WhatsApp group. A director at the firm, Executive Coach International, had shared highly sensitive information about the former employee with 58 members of a chat group comprising staff … Continue reading

Legal Implications of DDoS Attacks and the Internet of Things (IoT)

By on December 5, 2016 Posted in Cybercrime

Several significant distributed denial-of-service (“DDoS”) attacks have taken place in the last few weeks, including a major event involving a domain name service provider (Dyn), which caused outages and slowness for many popular sites like Amazon, Netflix, Reddit, SoundCloud, Spotify, and Twitter. This significant attack came on the heels of two major DDoS attacks against … Continue reading

UAE Outlaws Sales of Personal Data and Increases Fines for Companies

By on November 20, 2016 Posted in Compliance and risk management, Cybercrime

The United Arab Emirates Penal Code was amended with effect from October 29, 2016 to outlaw the copying, distribution or disclosure of information that a person obtains in the course of their employment. This new offence will target company insiders (or service providers) unlawfully dealing in personal data. Other changes to the Penal Code will … Continue reading

Major DDoS Attacks Signal Need for Strengthened Cyber Defenses

By Daniel Leslie (CA) on November 3, 2016 Posted in Compliance and risk management, Cybercrime

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By on October 6, 2016 Posted in Compliance and risk management, Cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents

By on August 2, 2016 Posted in Compliance and risk management, Cybercrime, Regulatory response

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex). The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure. The Directive is designed to improve coordination … Continue reading

The Intersection of Trademark Law and Cybersecurity

By on July 16, 2016 Posted in Cybercrime, General

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company … Continue reading

UAE Employees Jailed for Privacy Breach Before Ultimately Being Acquitted

By on June 12, 2016 Posted in Compliance and risk management, Cybercrime

A recently-reported court case in the United Arab Emirates has highlighted the importance of establishing and implementing good privacy practices, even in the absence of specific data protection legislation. In late 2014, the UAE public prosecutor charged three officials from a federal authority – the general director, a branch manager and an IT manager – … Continue reading

Legal update: Security issue could impact ADP customers

By on May 11, 2016 Posted in Cybercrime

Cyber criminals appear to have gained unauthorized access to ADP, Inc.’s self-service customer portal to file fraudulent tax returns for some ADP customer employees. ADP has reportedly confirmed that a subset of its customers have been the victim of tax fraud perpetrated by hackers posing as customer employees on ADP’s portal. We recommend that ADP … Continue reading

Ransomware Incident Response – Prevention, Readiness and Strategy

By on February 28, 2016 Posted in Compliance and risk management, Cybercrime

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading

Cyber security – making banking safer

By Marcus Evans (UK) on January 4, 2016 Posted in Compliance and risk management, Cybercrime

Cybersecurity is rarely out of global news headlines. David Navetta and Marcus Evans have commented on the issue in the January 2016 edition of The Banker. The feature – “Cyber security – making banking safer” – looks how financial institutions are protecting their assets and customers’ data.… Continue reading

Federal Cybersecurity Information Sharing Act signed into law

By on January 3, 2016 Posted in Cybercrime, Regulatory response

On December 18, 2015, President Barack Obama signed into law the Cybersecurity Information Sharing Act of 2015 (CISA) as part of the 2016 omnibus spending bill. CISA encourages businesses and the federal government to share cyber threat information in the interest of national security.… Continue reading

Council and European Parliament reach agreement on NIS Directive

By Jay Modrall (BE) and Marcus Evans (UK) on December 10, 2015 Posted in Cybercrime, Regulatory response

On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD). The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union … Continue reading

South Africa places limits on internet activity tracking

By Kerri Gevers (ZA) on October 26, 2015 Posted in Cybercrime, General

Each device which accesses the internet is allocated a unique number (Internet Protocol or IP address) by its internet service provider (ISP). A record is created each time this IP address accesses a webpage, including the date, time and URL (website address) accessed. These records are stored by the ISP.… Continue reading