The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI issued a joint Alert this week, entitled “Reminder for Critical Infrastructure to Stay Vigilant Against Threats During Holidays and Weekends” outlining “actions that executives, leaders and workers in any organization can take proactively to protect themselves against cyberattacks, including possible ransomware attacks, during the upcoming holiday season—a time during which offices are often closed, and employees are home with their friends and families.”

Sounds like a perfect time to launch an attack against unsuspecting victims. It is a perfect time for a cyberattack, and we know this because this is the season when cyber criminals know people are most distracted.

The same is true for critical infrastructure operators. According to CISA, “As Americans prepare to hit the highways and airports this Thanksgiving holiday, CISA and the Federal Bureau of Investigation (FBI) are reminding critical infrastructure partners that malicious cyber actors aren’t making the same holiday plans as you.” Cyber criminals don’t take the holidays off. This is their busy season. The Alert notes that there also was an up-tick in ransomware attacks during the Mother’s Day and Independence Day weekends.

CISA and FBI are urging organizations to:

  • “Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
  • Implement multi-factor authentication for remote access and administrative accounts.
  • Mandate strong passwords and ensure they are not reused across multiple accounts.
  • If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
  • Remind employees not to click on suspicious links, and conduct exercises to raise awareness.”

CISA and the FBI have issued a comprehensive overview of steps organizations can pro-actively take to protect themselves from ransomware attacks in the resource  “Ransomware Awareness for Holidays and Weekends.”

This holiday weekend, and throughout the holiday season, remind users of the increased threat and to stay vigilant.

The U.S. District Court for the Northern District of Illinois denied a motion to dismiss a class action for allegations that GrubHub, Inc. violated the Telephone Consumer Protection Act (TCPA). The plaintiff alleged that she received a series of robocalls from GrubHub, even though she asked to be put on the do-not-call list more than once. The plaintiff further alleges that GrubHub used a device “programmed to sequentially or randomly access, dial, and call […] stored telephone numbers,” and that Grubhub “effectively prevent[ed] her from using her phone” and “clogg[ed] up” her voicemail.

In GrubHub’s motion to dismiss, GrubHub argued that the TCPA section at issue has since been declared unconstitutional during the time period in which the plaintiff claims the calls were made; therefore, it was unenforceable during that time period.

Specifically, the debate between the parties centered on the TCPA’s robocall provision’s status between 2015, when the government debt exception was enacted, and February 11, 2021, the date final judgment was entered by the District Court on remand in Barr v. American Association of Political Consultants, Inc. (AAPC). In AAPC, the Supreme Court held that the government debt exception was unconstitutional because it favored government-debt collection speech over other types of speech. However, rather than finding the entire TCPA unconstitutional,  the Court severed the government debt exception from the rest of the statute. GrubHub argues that severability can only apply prospectively, not retrospectively, and therefore, the entirety of the cell phone robocall prohibition was unconstitutional during this time period. If that is correct, the court would lack subject matter jurisdiction over the plaintiffs’ action. The clear weight of authority, however, supports the view that severability of the government debt extension amendment to the TCPA operates retrospectively. The court denied the motion to dismiss on these grounds.

The lesson here is that the TCPA is still being enforced and litigated. If your company is using autodialers or pre-recorded messages, be sure to stay on top of the requirements under this statute. Otherwise, the penalties or claims for damages could be substantial.

Every year, technology is used in new and inventive ways, and drone holiday light shows seem to be making their way into some cities’ and towns’ holiday traditions.

In Grapevine, Texas, millions of lights, gigantic decorations, and animated holiday characters fill the town this holiday season. Grapevine has been officially trademarked as being the “Christmas Capital of Texas.” This year, Grapevine is trying out something new: two Christmas-themed drone light shows. With a fleet of more than 160 drones, the “Merry & Bright Christmas Drone Show” will take place on December 11 and December 18, operated by Sky Elements, a Texas-based drone show organizer.

This isn’t the first time Sky Elements has put on a holiday show in Texas. In October 2021, Sky Elements hosted a Halloween drone light show with 150 drones soaring above Dallas to create formations of pumpkins, ghosts, flying witches, spider webs, and tombstones. The Christmas drone light show will last only eight to nine minutes.

Towns such as Grapevine aren’t the only ones using this technology as entertainment. Walmart sent its Holiday Drone Light show across the country last holiday season, using over 1,000 Intel drones to create 3-D shapes and characters like Frosty the Snowman and Rudolph the Red-Nosed Reindeer, and synced its drones’ movement with holiday classics for the spectators below.

Perhaps other cities and towns (and companies) will continue to follow this trend. If they do,  be sure they are following the Federal Aviation Administration’s rules and regulations when it comes to safe and compliant operation of drones.

As we enter the holiday shopping season, cyber criminals are sharpening their cyber-scam strategies. We like to remind our readers about the enhanced risk during the holidays [view related posts here, here, and here]. There has been an increase in online shopping over the years, and particularly since the pandemic began. The holiday season is such a risky time with the potential to become the victim of a cyber-attack that the U.S. Cybersecurity and Infrastructure Agency (CISA) and the FBI have issued a joint warning to “all Americans” alerting them to stay vigilant against cyber-attacks this time of year. CISA has offered a website to assist consumers.

CISA recommends these three simple steps to keep consumers safe when shopping:

  • “Check your devices – Before starting your hunt for the best deal, make sure your devices are up-to-date and all of your accounts have strong passwords. If you purchase an internet connected device or toy, change the default password and check the device’s privacy and security settings to make sure you’re not sharing more information than you want.
  • “Shop through trusted retailers – Before making a purchase and providing any personal or financial information, make sure you’re using a reputable, established vendor. Similarly, if you’re planning to make a charitable donation, be sure to research who or where your donation is going to ensure it’s a legitimate organization.
  • “Using safe methods for purchases – If you can, use a credit card or other forms of digital payments as opposed to a debit card as credit cards often have better fraud protections.”

For more information about shopping online safely this holiday season, visit CISA.gov/shop-safely.

For consumers, this holiday season promises to be even more chaotic than usual due to pandemic-related supply chain shortages. Many consumers may be shopping from unfamiliar sites in the hope of avoiding stockouts and shipping delays. As we have reported in the past, scammers can spoof and mimic well-known sites to make you believe you are shopping on the real site. Once you are on the site and buy an item (usually promoted at a deep discount), the scammer steals your payment information and/or other information you have provided on the website.

When online shopping, make sure you are on the official site of the business; using links from other sites is risky. If you see something on another site, instead of clicking on the link provided, use a new browser search to navigate to the real site.

If you are using an unfamiliar site, do your homework. Consider checking customer reviews or watchdog groups like the Better Business Bureau to verify that the vendor is legitimate, and only submit payment information through an HTTPS enabled form or trusted third-party payment processor. You may wish to consider using only one credit card for your online transactions to ensure that in the event the credit card is compromised, you have limited it to just one and not several cards that you will have to replace.

Safe shopping and enjoy the holidays!

*This post was co-authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.

A federal District Court judge in Illinois sided with the U.S. Department of Labor (DOL) in ordering Alight Solutions, LLC, an ERISA plan services provider, to comply with an administrative subpoena seeking documents pertaining to alleged cybersecurity breaches. The Court’s order in the case, Walsh v. Alight Solutions, LLC, Dkt. # 20-cv-02138 (N.D. Ill.), is significant as it mandated production of a great deal of information concerning Alight’s cybersecurity practices, finding Alight’s objections on grounds of irrelevance and burdensomeness insufficient to overcome the DOL’s broad investigatory authority and the presumption that investigative subpoenas should be enforced.

According to the Court’s order, the DOL’s investigation of Alight began back in July 2019 based in part on its discovery that Alight had processed unauthorized distributions from its ERISA plan clients’ accounts as a result of cybersecurity breaches and, further, had failed to promptly report the breaches and restore the unauthorized distributions to the affected accounts. DOL’s subpoena sought documents on a number of topics, including Alight’s cybersecurity policies, procedures, assessment reports, and training of its workforce; its business continuity plans pertaining to information security; and communications or other documents regarding any cybersecurity incident pertaining to its ERISA plan clients, dating back to 2015.

The Court began its analysis by noting that the broad subpoena power permits DOL to “investigate merely on suspicion that the law is being violated, or even just because it wants assurance that it is not.” Alight nevertheless argued that the subpoena power extends only to ERISA fiduciaries and, as a non-fiduciary, it was not required to respond to the subpoena. The Court flatly rejected that argument, concluding that nothing in the relevant statute or caselaw supported such a claim. Alight also contended that the document requests in the subpoena were “too indefinite.” The Court did not find any of them to be so indefinite that Alight should be relieved of its compliance obligation. In addition, Alight objected to many of the requests on the ground that they sought information not relevant to the investigation, but the Court rejected this argument as well.

Alight further claimed that compliance with the subpoena would be unduly burdensome, requiring “thousands of hours of work just to identify potentially responsive documents” in addition to the time and expense that outside counsel would incur in reviewing, redacting, and producing the materials. Even after the DOL modified the requests to address some of Alight’s concerns, Alight still asserted that the subpoena would require it to pull, review, and produce potentially tens of thousands of documents related to its ERISA business. Weighing the relevance of the requests against the burden on Alight, however, the Court found the balance favored the DOL.

The decision, coming on the heels of the DOL’s detailed April 2021 guidance on cybersecurity for benefit plans and service providers, illustrates that information security continues to be a significant area of concern for the DOL. Indeed, many of the document requests in the subpoena mirror those addressed in the guidance, and the DOL now regularly requests the information in plan audits. Plan service providers and fiduciaries therefore are well advised to review the DOL’s guidance and their cybersecurity practices. For additional information, see the August 6, 2021 post in our ERISA Claim Defense Blog, “Department of Labor Focuses on Cybersecurity for Benefit Plans.”

It’s that time of year again when we start to think about holiday gifts and Black Friday shopping. So as any good privacy pro knows, the Mozilla *privacy not included guide is the place to go to learn about the “creepiness” of the latest toy or gift that you are looking to buy.

This year, the guide reviews 151 products from smart toys to exercise equipment and provides lots of information related to the privacy features of each product. The purpose of the guide is to share information regarding the privacy and data collection practices for the smart products. Clicking on a particular product reviewed on the website will provide a summary of the product’s data collection and privacy policies and the guide’s rating for the product. Users also are able to vote and rate products along a “creepiness” scale, ranging from “not creepy” to “super creepy.”

Mozilla’s press release for the 2021 guide noted that “researchers spent more than 950 hours reviewing the 151 connected gifts across six categories: smart home, toys and games, entertainment, wearables, health and exercise, and pets.” The guide even reviews video call apps and dating apps. This year Mozilla identified 47 products that are branded with their “Privacy Not Included” warning label. Mozilla also identified 22 products in their “Best of” category that “do a good job of protecting your privacy and security.”

The guide does a lot of the hard work for you in finding and reading privacy policies. The guide also answers important privacy questions about whether a product can snoop on you, whether an email address is required to sign up, what personal data the device collects, how the company uses the data it collects, how you can control your data, the company’s known track record of protecting users’ data, whether the product can be used offline, and whether the privacy information is user-friendly. The guide also provides links to available privacy policies for each of the products reviewed.

With the passage of the Colorado Privacy Act, Colorado joins Virginia and California as early adopters of state-level privacy legislation. These laws impose higher restrictions on companies processing specific sensitive categories of data that reveal information such as sexual orientation and ethnic origin. However, the law remains unclear on what constitutes “revealing” information. For example, do the data need to be explicit or is implicit information protected as well?

Grindr, for instance, infamously leaked the identity of a Catholic priest using its platform earlier this year [view related post]. The magazine that outed the individual had purchased “commercially available” location data from the app. So, does the fact that the user data leaked from an LGBTQ dating app count as “revealing” his sexual orientation? The U.S. Conference of Catholic Bishops seemed to think so – the priest resigned amid allegations of “possible improper behavior.”

Privacy law in the United States is developing quickly;  companies collecting, maintaining, and using personal data must comply with a confounding meshwork of state, federal, and industry standards. As a result, companies collecting, maintaining, and using potentially sensitive data (as that term is defined in several state statutes), particularly companies serving marginalized communities, may wish to consider watching this space especially carefully. The difference between classifying a user table as high or low risk could be thousands of dollars in fines and do incalculable damage to people’s lives.

*This post was co-authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.

Backup plans continue to be one of the most important ways to respond to a ransomware attack. If you have a backup plan, have tested it, and can migrate to it, you are better equipped to be able to respond when your system is locked by ransomware. If you do not have backups of your system, you are more vulnerable to succumbing to the ransom demand to get your business back up and running.

Mimecast recently issued its “Facing the Reality Gap: State of Ransomware Readiness” report that included conclusions from a survey of 742 cybersecurity professionals worldwide. The report is blunt and eye-opening in several respects, such as the statement, “Who’s at Risk? Everyone.” Agreed. According to the Report, the goal was “to understand how executives are managing the risk in ransomware attacks, not only from a sense of confidence in their own preparation against these attacks, but also in how they are hardening their organizational defenses against ransomware.”

Not surprisingly, the report shows that a whopping 80 percent of organizations have been attacked by ransomware, 39 percent of executives “feel they could lose their jobs over a successful ransomware attack,” more than one-third of companies chose to pay the ransom in full, 42 percent experienced disruption following a ransomware attack, and 36 percent experienced downtime after a ransomware attack.

Although executives are investing in preventive technology such as web security and end-point protection, only 45 percent of the executives surveyed said they had invested in file backups.

With these staggering statistics, the fact that fewer than half of those surveyed were actively backing up files was glaring. If yours is one of those companies, check out the Mimecast report, make it mandatory reading at the next C-Suite and Board meeting, and get that backup plan implemented and tested.

Credit card skimming fraud continues to affect companies and their customers, causing businesses such as Costco to routinely inspect their PIN pads for the devices. According to news reports, following a routine inspection of its PIN pads, five card-skimming devices were found at four Costco stores in the Chicago area.

According to Costco, fewer than 500 customers were affected by the scam. When Costco found the skimmers, it “promptly removed the skimmers, notified law enforcement, and engaged a forensics firm to analyze the devices.” The skimmers were able to copy the customers’ name, card number, expiration date and CVV.

Costco notified the affected individuals, offered free credit monitoring, and advised users to check their credit card statements carefully for any unauthorized charges.

The message from Costco is an important one for all of us. Credit card skimming fraud continues to be an active scam, and we all should be watching our credit card statements carefully and alerting our bank if there is a suspicious charge. This is especially true as the holiday season approaches.

The Cybersecurity & Infrastructure Security Agency (CISA) issued the Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems (Playbooks) on November 16, 2021, designed to assist Federal Civilian Executive Branch (FCEB) Information Systems agencies in adopting a standard set of procedures related to incident and vulnerability responses.

The two playbooks, which are designed for federal systems but “may be useful for organizations outside of the FCEB to standardize incident response practices,” provide “FCEB agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks.”

The processes outlined in the Playbooks:

  • Facilitate better coordination and effective response among affected  organizations;
  • Enable tracking of cross-organizational successful actions;
  • Allow for cataloging of incidents to better manage future events; and
  • Guide analysis and discovery.

According to CISA, the playbooks “apply to all FCEB agencies, information systems used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency.”

Although the playbooks are designed for FCEB agencies, organizations may wish to review the playbooks to get ideas of a framework for their own organizations if incident response and vulnerability playbooks have not been developed and implemented.