Tag Archives: Luke Dembosky

A New Era of Federal Trade Commission (“FTC”) Privacy and Cybersecurity Oversight: Top Ten Things Companies Should Know When Assessing FTC Compliance and Exposure

by Luke Dembosky, Avi GesserTed HassiPaul D. RubinJim Pastore, Johanna Skrzypczyk, Leah Martin, Melissa Runstenand Christopher S. Ford

Companies developing FTC compliance programs, or under investigation by the FTC’s Bureau of Consumer Protection, should be aware of significant developments impacting the Commission’s regulatory authority and enforcement priorities.

Despite a number of recent judicial defeats that have significantly hampered the FTC’s ability to obtain: (1) injunctive relief when purported violative behavior is not ongoing; and (2) monetary remedies in federal court under Section 13(b) of the Federal Trade Commission Act (the “FTCA”), new FTC Chair Lina Khan has indicated that the FTC intends to aggressively enforce existing FTC consumer protection laws—and in particular alleged privacy and cybersecurity violations.

Continue reading

Regulatory Risks of the Log4j Vulnerability: FTC Warns Companies to Take Reasonable Steps to Protect Consumer Data

by Luke Dembosky, Avi Gesser, and Michael R. Roberts

Be prepared for increasing scrutiny from the Federal Trade Commission (“FTC”) and other regulators regarding the Log4j vulnerability. The attention of the cybersecurity community has been captured by the recently disclosed critical vulnerability in the widely used, open-source Java logging package, Log4j (CVE-2021-44228), and other subsequently announced related vulnerabilities, which is reportedly being “widely exploited” by attackers and “poses a severe risk,” according to the Cybersecurity & Infrastructure Security Agency (“CISA”) and other technical experts. CISA issued Emergency Directive 22-02 on December 17, 2021, which directs federal civilian executive branch agencies to address Log4j vulnerabilities immediately through patching or other mitigation measures. And now regulators, most notably the FTC, have begun to issue positions on the need for companies and their vendors to remediate the Log4j vulnerability and the enforcement risks that could be presented if a company or its vendors fail to do so.

Continue reading

Banking Regulators Finalize 36-Hour Data Breach Notification Rule

by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein

On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.

Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.

The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.

The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.

Continue reading

OFAC and FinCEN Update Ransomware Guidance to Include New Red-Flag Indicators and Additional Sanctions Designations

by Luke Dembosky, Avi Gesser, Satish Kini, Aseel Rabie, and HJ Brehmer

On November 8, 2021, the U.S. Department of the Treasury (“Treasury”) announced a new set of sanctions against criminal ransomware actors, the virtual currency exchange Chatex and three companies providing material support and assistance to Chatex. By designating these entities, which have direct ties with the previously sanctioned SUEX OTC, S.R.O. (“SUEX”), Treasury is suggesting that it will continue to use all tools available to identify and take action against those involved in facilitating ransomware payments. 

Continue reading

OFAC’s Ransomware Advisory – How Banks Can Reduce Their Sanctions Risk for Client Cyber Ransom Payments (Part II of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Scott Caravello

This is Part II of a two-part post. For Part I, which provides a general overview of OFAC’s updated ransomware advisory and the ways that victim companies can reduce their sanctions risks, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (PDF: 252 KB) (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally, and ways that victim companies can reduce their sanctions risks. In this Part 2, we discuss the measures that financial institutions can adopt to mitigate their ransomware sanctions risks, and why those compliance controls differ from the steps being taken by victims.

Continue reading

OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

Continue reading

Effective Access Controls, Timely Breach Notification, and Other Takeaways from the Latest NYDFS Cyber Resolution

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Parker Eudy, and Mengyi Xu

On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber-enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order (PDF: 550 KB) that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda. The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

Continue reading

First Resolution by the DFS Under Its Cyber Rules Highlights the Risks of Inadequate Cyber Investigations and the Importance of Satisfying State Breach Notification Obligations

by Luke Dembosky, Avi Gesser, Jim Pastore, Chris Ford, Alexandra Mogul, and Sarah Smith

Last year, we discussed the first enforcement action brought by the New York State Department of Financial Services (“DFS”), which involved charges against First American Title Insurance Company. That hearing is scheduled for March 22.

On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that imposes a $1.5 million penalty for several violations including:

  • Failure to investigate whether an attacker, who compromised a single email mailbox, accessed private data of individuals.
  • Failure to satisfy various state breach notification obligations.
  • Failure to notify the DFS of the incident.
  • Failure to conduct a cybersecurity risk assessment, as required by Part 500.

In addition to the $1.5 million fine, Residential Mortgage must undertake various risk mitigation measures to prevent future incidents.

Continue reading

Court Chips Away at Privilege Protections for Cyber Forensic Reports

by Jim Pastore, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Corey Goldstein, and Mengyi Xu

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”) —and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”). See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021). The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Continue reading

The Rise of DDoS Ransom Attacks – How to Prevent and Respond

by Luke Dembosky and Avi Gesser

We have recently written about the persistence of the four most common varieties of cyberattacks: RansomwarePhishingBusiness Email Compromises, and Credential Stuffing, as well as the increased regulatory scrutiny that companies face when they fall victim to these attacks. Over the last few months, we have observed an increase in another form of cybersecurity threat: DDoS ransom attacks, where cybercriminals demand a large payment from a company in exchange for not launching a distributed denial-of-service (“DDoS”) attack that is designed to bring down the company’s website. In this post, we discuss the characteristics of these attacks and steps companies can take to prevent and mitigate damage from them.

Continue reading