July CyberCapsule

(August 7, 2023) – Welcome to the July edition of the CyberCapsule. In this edition, we highlight new ways the Biden administration is attempting to combat cyber incidents and the threat actors' continued evasiveness and pervasiveness. The SEC also made a splash, both with the recent Covington order and with the long-awaited released of its disclosure rules. And, finally, we remind our readers of two newly amended data breach notification statutes.

Consider This

Safety in Numbers. On July 3, 2023, The United States announced the launch of its CyberSentry program, a managed threat detection and monitoring capability, governed by an agreement between CISA and voluntarily-participating critical infrastructure partners that operate significant systems supporting national critical functions.

FBI Embroiled in Whack-a-Mole. On July 7, 2023, the FBI discovered a new dark website that trades and sells stolen data. This new dark website replaced a prior site that the FBI removed earlier in June.

Hackers Hate Him. On July 13, 2023, the White House released its plan to implement the national cybersecurity strategy that President Biden unveiled in March 2023. The plan establishes five-pillars and seeks to place more responsibility on the technology sector over software security.

Looking for a Guided Trip to the Cloud? Look no further, because on July 17, 2023, CISA released a factsheet designed to arm organizations transitioning to the cloud with a list of tips and tools to protect their new cloud environments.

Come Together, Right Now. On July 25, 2023, the Department of Justice announced the merging of its National Cryptocurrency Enforcement Team (NCET) with its Crime and Intellectual Property Section (CCIPS) to help more fully investigate cryptocurrency crime and ransomware attacks.

Them’s Fightin’ Words. On July 27, 2023, U.S. Senator Wyden wrote to Attorney General Garland and the heads of the FTC and CISA, declaring Microsoft’s negligent cybersecurity practices allowed the Chinese government to launch a successful espionage attack against the U.S.

As The World Turns

Hospitals Sick with Ransomware, No Cure in Sight. Emsisoft, a New Zealand-based cybersecurity company, reported that as of July 3, 2023, 19 providers operating 33 hospitals experienced ransomware attacks this year, compared to only 25 ransomware attacks in all of 2022.

CopyCat? On July 23, 2023, taking a page out of the BlackCat playbook, the Clop ransomware group began creating Internet-accessible leak sites.

Who Says a Black Cat Brings Bad Luck? On July 26, 2023, researchers detected that the BlackCat data leak site added a new page providing instructions for using its API to collect real-time updates about new victims. The move is an attempt to provide easier access to information about potential victims, in hopes of increasing the pressure on victims to pay a ransom.

In Need of Adjustment? A July 26, 2023 report revealed that vendor email compromise (VEC) is on the rise. In a VEC, a threat actor impersonates a trusted individual at a company’s vendor. The likelihood of a company falling victim to a VEC attack rose to 70% in May 2023.

Shame, Shame, Shame. According to a recent report issued on July 28, 2023, 1,400 organizations were named on data extortion and ransomware sites in the second quarter, a 66% increase from Q1.

Can We Manufacture A Way to Prevent Encryption? Sophos reported that 68% of ransomware attacks against the manufacturing sector have resulted in successful encryption. But, the percentage of manufacturing companies relying on backups to recover data rose.

In Under-Reported News...

Whose Privilege Is It Anyway? On July 24, 2023, U.S. District Judge Amit Mehta ordered that Covington must disclose the names of seven clients to the SEC, overruling Covington’s objections that doing so would breach the attorney-client privilege. Judge Mehta decided that the SEC had a legitimate purpose in trying to discover if illegal trading occurred using the information the threat actors accessed on Covington’s servers. How this order will impact when and the whether organizations will disclose incidents and cooperate with government agencies remains to be seen.

SEC Lays Down Cybersecurity Law for Public Companies. On July 26, 2023, the SEC adopted its long-awaited rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. For a summary of those rules and how they impact public organizations, read our latest Legal Alert.

Don't Forget

Let’s Hope This Has an Impact. On June 27, 2023, Rhode Island amended its data breach law, which took effect that same day. The amendment requires, among other things, that state agencies and municipalities notify the: (1) State Police of an incident within 24 hours its discovery of the incident; (2) impacted individuals within 30 days of the incident; (as opposed to 45 days for non-public agencies); and (3) a collective bargaining agent, as appropriate.

Don’t Mess with Texas. On September 1, 2023, Texas’s amended data breach law will take effect. The amendments reduce the time to notify the Texas attorney general from 60 days to 30 days. The amendments also require that notification be made via an electronic form on the attorney general’s website

For more information, visit our Data Privacy & Cybersecurity Practice page to find an experienced attorney in your area. Read more about data privacy and cybersecurity on our blog, Digital Insights.

Click on our map of the United States, then choose “Data Breach Notification Statutes” or “Information Security Standards,” and then click on the specific state for which you would like information.