Tag Archives: Jeannie S. Rhee

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

Theft of Federal Funds Highlights Expanding Cyber Threat from Foreign Actors

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Steven C. Herzog, and David Kessler

Photos of the authors

From Left to Right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Steven C. Herzog, and David Kessler

The Secret Service has reported that APT41, a hacking organization, stole roughly $20 million in federal COVID-19 relief funds by obtaining access to the computer systems of a number of U.S. states beginning in mid-2020.[1]  According to the Secret Service, APT41 is a “Chinese state-sponsored, cyberthreat group that is highly adept at conducting espionage missions and financial crimes for personal gain.”[2]  While experts are uncertain regarding whether the breach by APT41 was ordered by the PRC government or merely tolerated, the Secret Service announcement marks the first public confirmation by a federal agency of a state-affiliated hacking group breaching U.S. cyber defenses to steal federal funds. According to the government, the hackers obtained unemployment insurance funds and Small Business Administration loans from more than a dozen states.[3]  The true scope of the breach remains unclear, with officials speculating that government networks in all 50 states were likely targeted.[4]  The Secret Service has further linked the APT41 intrusion to the organization’s broader efforts to access and interrogate state networks.[5]

Continue reading

NYDFS Fines First Unum and Paul Revere Insurance Companies $1.8 Million for Violations Arising Out of Data Breaches

by H. Christopher Boehning, Michael E. Gertzman, Roberto J. Gonzalez, Jeannie S. Rhee, Richard C. Tarlowe, Steven C. Herzog, and Cole A. Rabinowitz 

On May 13, 2021, the New York Department of Financial Services (“NYDFS”) announced a consent order with First Unum Life Insurance Company of America (“First Unum”) and Paul Revere Life Insurance Company (“Paul Revere”) (collectively the “Companies”), which imposed a $1.8 million penalty for violations of NYDFS’s Cybersecurity Regulation (23 NYCRR 500) (“Part 500”), including false certifications of compliance under 23 NYCRR 500.17. Continue reading

DOJ Announces First False Claims Act Settlement with Borrower and Its CEO for PPP Fraud

by Jessica S. Carey, Michael E. Gertzman, Roberto J. Gonzalez, Loretta E. Lynch, Carl L. Reisner, Jeannie S. Rhee, Richard C. Tarlowe, Jacob A. Braly, and Dana L. Kennedy

On January 12, 2021, the U.S. Attorney’s Office for the Eastern District of California announced the first civil settlement with a borrower for allegedly committing fraud in obtaining a Paycheck Protection Program (PPP) loan, in violation of the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA).[1] DOJ alleged that the borrower, SlideBelts Inc., and its president and CEO falsely stated in their PPP applications that the company was not “presently involved in any bankruptcy,” which was a condition of PPP eligibility.[2] The settlement was for $100,000, and the company also previously repaid the $350,000 PPP loan. Continue reading

VinDAX Is the Seventh Cryptocurrency Exchange Hacked This Year: What Should Investors Be Considering?

by Mark S. Bergman, Roberto Finzi, Christopher D. Frey, Manuel S. Frey, David S. Huntington, Jeannie S. Rhee, Raphael M. Russo, Jonathan H. Ashtor, Steven C. Herzog, Daniel J. Klein, and Apeksha S. Vora

On November 5, 2019, Vietnam-based cryptocurrency exchange VinDAX was hacked, losing half a million U.S. dollars’ worth of funds spread across 23 different cryptocurrencies.[1] The VinDAX hack marks the latest in a series of cryptocurrency exchange hacks and data breaches that have taken place this year, and is part of a larger and growing trend of digital currency heists that have occurred since Bitcoin, the first cryptocurrency, was introduced in 2008.[2] In July of this year, Japan-based cryptocurrency exchange Bitpoint was also hacked, losing about $32 million in cryptocurrency,[3] and earlier this year, hackers stole $16 million worth of cryptocurrency from New Zealand-based Cryptopia.[4]  Losses from cryptocurrency hacks this year alone are reported to have totaled around $1.39 billion worth of assets.[5] Continue reading

DOJ Announces Government Procurement Collusion Strike Force

by Craig A. Benson, Joseph J. Bial, Andrew C. Finch, Andrew J. Forman, Kenneth A. Gallo, Jonathan S. Kanter, Mark F. Mendelsohn, William B. Michael, Jane B. O’Brien, Jeannie S. Rhee, Jacqueline P. Rubin, Charles F. “Rick” Rule, Aidan Synnott, and Mark R. Laramie. 

On November 5, the United States Department of Justice (DOJ) announced that it – along with the FBI, the Department of Defense (DOD), the United States Postal Service (USPS) and the General Services Administration (GSA) – is forming a new government Procurement Collusion Strike Force. The strike force will focus “on deterring, detecting, investigating and prosecuting” collusion among companies and individuals involved in government procurement at all levels. Within the DOJ, the strike force will involve prosecutors from the Antitrust Division and thirteen United States Attorney’s offices from around the country, including Chicago, Dallas, New York, Los Angeles, Miami, Sacramento and Washington, D.C.  In addition to involvement by the Offices of Inspector General (OIG) of the DOD, USPS and GSA, the task force will also partner with other federal agency OIGs.  The announcement was made by Deputy Attorney General Jeffrey A. Rosen and Assistant Attorney General for Antitrust Makan Delrahim.  During the announcement, Mr. Delrahim noted that “today, more than one third of the Antitrust Division’s 100-plus open investigations relate to public procurement or otherwise involve the government being victimized by criminal conduct.” Continue reading

Social Media Bot Company Devumi LLC Reaches $2.5 Million Settlement with FTC for Sale of Misleading Social Media “Influence Indicators”

by Christopher D. Frey, Roberto J. Gonzalez, Jeh Charles Johnson, Jonathan S. Kanter, Claudine Meredith-Goujon, Lorin L. Reisner, Jeannie S. Rhee, Richard C. Tarlowe, Alessandra Baniel-Stark, Daniel J. Klein, and Taylor C. Williams.

Background

On October 21, 2019, the Federal Trade Commission (“FTC”) settled its first-ever complaint against a company for selling fake indicators of social media influence such as phony likes, follows, views, and subscribers to users on Twitter, LinkedIn, YouTube, Pinterest, Vine, and SoundCloud.[1] The company, Devumi LLC (“Devumi”), and its CEO, German Calas, Jr., settled the enforcement action with a $2.5 million fine.[2] The company was dissolved in 2018.[3]  Reporting suggested that Devumi maintained an estimated stock of at least 3.5 million automated accounts, thousands of which used personal details of real social media users (who had not engaged Devumi’s clients with follows, likes, etc.), and that these accounts were used to generate the false indicators of social media influence.[4] 

The FTC found, for example, that Devumi filled more than 58,000 orders for fake Twitter followers from a diverse set of buyers, including actors, athletes, musicians, investment professionals, lawyers, and experts who wanted to increase their appeal as influencers or otherwise boost their credibility.[5] Devumi filled over 800 orders for fake LinkedIn followers to marketing and public relations firms, consulting firms, and financial services companies, among others.[6] Continue reading