The National Institute of Standards and Technology (NIST) Information Technology Laboratory recently released guidance entitled “Software Supply Chain Security Guidance,” in response to directives set forth in President Biden’s Executive Order 14028—Improving the Nation’s Cybersecurity.

The guidance refers to existing industry standards, tools, and recommended practices that were previously published by NIST in SP800-161 “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.”  It is designed for federal agencies that “acquire, deploy, use, and manage software from open source projects, third-party suppliers, developers, system integrators, external system service providers, and other information and communications technology (ICT)/operational technology (OT)-related service providers,” but is certainly applicable and helpful to any organization grappling with how to manage third-party software vulnerabilities after the SolarWinds incident.

The guidance walks readers through software cybersecurity for producers and users using the secure software development framework and the process by which NIST gathered evolving standards, tools, and recommended practices to address software supply chain security. The recommended practices include:

  • Ensuring that suppliers of software products and services are able to produce a Software Bill of Materials (SBOM)
  • Enhanced Vendor Risk Assessments
  • Implementing Open Source Software Controls
  • Vulnerability Management

NIST publications offer relevant and easy to understand cybersecurity guidance. With the increase we have seen in zero-day vulnerabilities and continued risk of attacks by Russia and China, this is a worthwhile and timely read.

Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.

The Connecticut law goes into effect on July 1, 2023, giving companies just over a year to determine whether it applies, and if so to take steps to comply. Luckily, many organizations have already put compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so adding some nuances from other state laws, including Connecticut, will not be as daunting as the first go-round with California’s law.

The CPDPA is designed to establish a framework for controlling and processing personal data. It:

  1. sets responsibilities and privacy protection standards for data controllers;
  2. gives consumers the right to access, correct, delete, and obtain a copy of personal data and to opt out of the processing or personal data for certain purposes (e.g., targeted advertising);
  3. requires controllers to conduct data protection assessments;
  4. authorizes the state attorney general to bring an action to enforce the bill’s requirements; and
  5. deems violations to be Connecticut Unfair Trade Practices Act violations. https://cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF

The CPDPA applies to individuals and entities that conduct business in the state of Connecticut or target products or services to Connecticut residents and either: control or process personal data of at least 100,000 Connecticut consumers (except if the data is processed solely for completing a payment transaction) or control or process the personal data of at least 25,000 Connecticut consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The application of the law is not tied to an actual gross revenue figure like the CCPA is ($25 million), which is an important distinction that may narrow its applicability to organizations.

The law does not apply to nonprofits, state and local governments, higher education institutions, or national securities associations registered under the Securities Exchange Act. Consistent with other state data privacy laws, it also exempts financial institutions and data subject to the Gramm-Leach-Bliley Act and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).

The law excludes 16 different categories of data from its purview, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act.

A “consumer” is defined as a Connecticut resident, and excludes individuals “acting in a commercial or employment context,” also known as a business-to-business exception, which is consistent with other state privacy laws.

Connecticut consumers will have the right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for automated decisions that produce legal or significant effects on the consumer. Entities subject to the law will have to provide “clear and conspicuous” links on their websites giving consumers the choice to opt-out of that type of processing and provide a universal opt-out preference signal by January 1, 2025. Consistent with other state privacy laws, the CPDPA contains an anti-discrimination clause. These requirements, along with those of the other state laws that go into effect in 2023, warrant another look at companies’ websites to see if they need to be updated.

The CPDPA requires controllers to limit:

  • collection of personal data to the minimum amount necessary for the purpose of the collection;
  • use of the personal data to only the purpose of the collection or as the consumer has authorized; and
  • establish and implement data security practices to protect the data
  • obtain consent before processing sensitive data, including data of any individual under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act.

Controllers will be required to update their website and other Privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including an active email address at which to contact the controller, what information is shared with third parties, and the categories of third parties with which the controller shares the information. In addition, a controller must disclose that it is selling personal data for targeted advertising and provide consumers with information on how they can opt-out of the sale of their information.

Also consistent with the other state data privacy laws, the CPDPA requires that data controllers enter into a written contract with data processors prior to disclosing the personal data, outlining specific instructions for the data processing and data security requirements for the protection of the personal data. This requires organizations to review third-party contracts to determine whether they are disclosing personal data to third parties, whether CPDPA applies and to amend contracts with those third parties, as appropriate.

Violation of the CPDPA may land companies in an enforcement action by the Connecticut Attorney General (AG), who can levy fines and penalties under the Connecticut Unfair Trade Practices Act. However, there is a grace period for enforcement actions until December 31, 2024, for the AG to provide organizations an opportunity to cure any alleged violations. Beginning on January 1, 2025, the AG has discretion to provide companies with that opportunity to cure and can look at the conduct of the organization during the cure period to determine fines and penalties.

Significantly, consistent with Colorado, Virginia, and Utah, but tacking away from California, the CPDPA is clear that the law does not provide a private right of action for consumers to seek damages against organizations for violation of the law.  Jurisdiction for violations is solely with the AG 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah, and now Connecticut will all go into effect. Now is the time to determine whether these new privacy laws apply to your organization and to start planning compliance obligations.

This week, AGCO, a U.S. agricultural machinery manufacturer, suffered a ransomware attack that affected its business operations and shut down its systems.

AGCO, headquartered in Duluth, Georgia, designs, produces, and sells tractors, combines, foragers, hay tools, self-propelled sprayers, smart farming technologies, seeding and tillage equipment. AGCO first discovered this attack through its subsidiary, Massey-Ferguson, when its websites in France, Germany, and China were targeted. At that time, more than 1,000 employees were sent home from production facilities in France. Operations across the globe have been affected.

In order to mitigate and remediate the attack, AGCO shut down portions of its IT systems, but it will likely take several days to fully repair them. It is currently unknown when business operations will fully resume.

This attack is likely a result of a recent donation to a Ukrainian relief fund. The day before this attack, AGCO Agriculture Foundation donated $50,000 to the BORSCH initiative, which assists Ukrainian farming communities affected by the war with Russia. A few weeks ago, the FBI released a warning on ransomware attacks targeting the U.S. agricultural industry and timed to coincide with critical seasons in the industry.

The FBI’s warning recommended the following steps to mitigate against ransomware attacks:

  • Regularly back up data, air gap (a security measure that involves isolating a computer or network and preventing it from establishing an external connection), and password protect backup copies offline.
  • Ensure copies of critical data are not accessible for modification or deletion from the system in which the data reside.
  • Implement a recovery plan that includes maintaining and retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Identify critical functions and develop an operations plan in the event that systems go offline. Think about ways to operate manually should it become necessary.
  • Implement network segmentation.
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts and use strong pass phrases where possible.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

In the short term, the agricultural industry (as well as all U.S. businesses) should be on high alert, and, in addition to patching all systems in your organization’s environment, the best thing to do is to have robust monitoring of the environment. Businesses cannot defend what they can’t see; every asset must be monitored.

The American Civil Liberties Union (ACLU) filed suit against Clearview AI, Inc. (Clearview AI) in March 2020, alleging that it violated the Illinois Biometric Information Privacy Act (BIPA) by capturing and using billions of individuals’ faceprints without consent. The ACLU filed suit “on behalf of groups representing survivors of domestic violence and sexual assault, undocumented immigrants, current and former sex workers, and other vulnerable communities uniquely harmed by face recognition surveillance.”

According to the ACLU, as part of the settlement Clearview AI has agreed to implement certain processes so that it is “in alignment with BIPA.” Clearview AI has agreed to:

  • restrict the sale of its faceprint database across the United States;
  • be permanently banned, nationwide, from making its faceprint database available to most businesses and other private entities;
  • cease selling access to its database to any entity in Illinois, including law enforcement, for five years;
  • maintain an opt-out request form on its website;
  • end its practice of offering free trial accounts to individual police officers; and continue to filter out photographs that were taken or uploaded in Illinois for the next five years.

According to Emsisoft, the education sector continues to experience ransomware attacks, with a whopping 1,043 schools affected by ransomware in 2021. This statistic breaks down to include 62 school districts and 26 colleges and universities.

Emsisoft estimates that data of employees and students were stolen in at least half of those attacks in 2021.

2022 looks to be even worse for higher education than 2021 for ransomware attacks. In the beginning of 2022, higher education institutions continued to be targeted by ransomware gangs. In March and April, BlackCat (a/k/a ALPHV group) deployed ransomware against North Carolina A&T State University and Florida International University, and in April Austin Peay State University was hit with a ransomware attack as well.

Some of the attacks disrupted the application process, operations, and classes in one case, the ransomware attack put the school over the edge to closure. All the more reason for those in the education sector to prepare and mitigate against the risk of an attack.

Researchers from the Mozilla Foundation reviewed the privacy policies of 32 mental health apps ranging from guided meditation to telehealth counseling services and flagged 28 of them as having “Privacy Not Included.” In addition, the report sorts the apps from “Not creepy!” to “Super creepy!” (The rankings are each accompanied by a delightful emoji face displaying the appropriate amount of concern.) The team also detailed each app, laying out specific concerns.

The Department of Veteran Affairs’ “PTSD Coach” is the gold standard from the “Not creepy!” camp, as it doesn’t collect any personal data and lets users opt-out of anonymized sharing. The researchers’ only gripe was that the Google Play Store app hadn’t been updated in a while – not a bad review for an app from the V.A.!

On the other hand, several telehealth apps were at the top of the “Super creepy” category. The report describes how these apps collect vast amounts of sensitive personal information through their intake forms and have “vague and messy” privacy policies riddled with red flags. For example, one policy hadn’t been updated since 2018, and another gave the company – again, a mental health care provider – the right to sell information to advertisers.

My personal favorite profile was a popular Bible app developed by a company that the Mozilla team traced back to a mysterious and controversial Chinese mobile game developer. The app inexplicably collects GPS location, and the privacy policy includes this gem instead of opt-out language: “You may decline to submit personal information to any of our services, in which case we may not be able to provide those services to you.” It’s been a tough few years, and you may be looking for new ways to support your mental health. But don’t compromise your data to do it – good privacy habits are self-care too. View the full report here.

Readers of this blog know how I feel about apps and the data they collect, use and disclose when it comes to privacy. Although they are supposed to tell you in their privacy policy what data they are collecting, few people actually read the privacy policy to understand how their data are being collected, used and disclosed.

Some apps are worse than others when it comes to privacy. Below are some articles that can help you assess which apps and types of apps that have been dubbed by other writers as “the worst.” You will see a pattern. Take a look and continue to be aware of how your information is collected, used and disclosed BEFORE you download it.

https://nordvpn.com/blog/worst-privacy-apps/
https://www.purevpn.com/blog/worst-privacy-apps/
https://www.foxnews.com/tech/7-worst-apps-that-violate-your-privacy
https://www.inc.com/jason-aten/these-7-iphone-apps-are-worst-for-privacy.html
https://tech.co/news/5-apps-terrible-job-protecting-privacy-2018-03

The U.S. Department of State has announced a $10 million reward for “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).”

In particular, the State Department is looking for six officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) for their roles in the criminal conspiracy to attack U.S. critical infrastructure by launching the NotPetya malware that caused U.S. businesses to lose close to $1 billion.

The six individuals are alleged to work for the GRU’s Unit 74455, also known as “Sandworm Team, Telebots, Voodoo Bear, and Iron Viking.” The State Department is encouraging those with information on the six individuals to contact it and to visit its reward website to learn more about the offer.

A surprising statistic is that, since its inception in 1984, the State Department’s Rewards for Justice program has paid more than $200 million to more than 100 people around the world who provided actionable information. This sharing of information is important to bring those who have committed crimes to justice and is profitable, too.

Last week, Mediant Communications Inc. (Mediant) settled a class action lawsuit in the U.S. District Court for the Southern District of New York stemming from a 2019 data breach in which hackers accessed 200,000 individuals’ personal information from its proxy investor communication service. Mediant is based in New York and offers mutual funds and real estate investment trusts along with other financial services. The breach exposed individuals’ names, addresses, e-mail addresses, phone numbers, Social Security numbers, tax identification numbers, and account IDs, among other sensitive information.

Lead plaintiff, Phillip Toretto, sued Mediant, alleging that the hack was caused by Mediant’s poor network security and its failure to encrypt personal information stored and maintained on its systems. Additionally, Toretto claimed that Mediant failed to adequately notify its customers.

Judge Gregory H. Woods first determined in February that Toretto could proceed on his declaratory judgment and negligence claims. However, the court dismissed the claims brought against the publicly-traded company, Donnelly Financial Solutions, through which Mediant provides proxy investor communications services. The details of the settlement are anticipated within the next few weeks.

A December 2021 breach of Lakeview Loan Servicing’s customer data has led to another proposed class action against the company in the U.S. District Court for the District of South Carolina. The breach affected the personal information of more than 2.5 million customers.

Plaintiffs Anthony Teresa Oglesby allege that their names, addresses, loan numbers, and Social Security numbers were compromised as a result of the breach. The complaint includes allegations that Lakeview failed to secure customers’ personal information and failed to notify the affected individuals until three months after the incident. Plaintiffs claim that the affected customers have suffered stress, theft of their personal information, and incurred costs related to identity theft protection services. The causes of action include negligence and violation of the South Carolina Unfair Trade Practices Act.

This suit comes after three other lawsuits were filed in the U.S. District Court for the Southern District of Florida by other affected customers as a result of this data breach.

Plaintiffs seek compensatory damages, actual damages, statutory damages, and attorneys’ fees and costs.