Sorry to be the bearer of bad news but remember that I am only the messenger. According to the World Economic Forum’s Global Cybersecurity Outlook 23 Insight Report (published in collaboration with Accenture), although business leaders are more aware of the risk of cyber issues to their organizations, there remain challenges on how organizations are addressing and mitigating that risk.

According to the Report, “business and cyber leaders believe global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.” Respondents understand the changing landscape of cyber attacks and they “now believe that cyberattackers are more likely to focus on business disruption and reputational damage. These are the top two concerns among respondents.”

In addition, 43 percent of respondents believe that it is “likely that in the next two years, a cyberattack will materially affect their own organization.” They also recognize that their organization’s cybersecurity risk is related to their supply chain partners’ security posture. Executives “see data privacy laws and cybersecurity regulations as an effective tool for reducing cyber risks across a sector.” Not that they want to see more regulations, but they recognize that such rules can incentivize organizations to have basic cybersecurity measures in place. Although the news is bleak that sophisticated cybersecurity attacks will increase and become more disruptive, it appears that organizations are becoming more aware of the risk, are trying to build a more robust cybersecurity posture, and are seeking ways to communicate more clearly across the organization. All of these measures are positive, but challenging, particularly in the face of a dearth of cybersecurity talent worldwide.

The Office of the California Attorney General recently announced that it will initiate an investigative sweep and will start sending letters to businesses about their mobile apps for failure to comply with the California Consumer Privacy Act (CCPA). There is also a new online tool that allows consumers to directly notify a business of an alleged CCPA violation, so we may see an influx of direct-from-consumer complaints.

The Attorney General’s office will focus its investigation on popular apps in the retail, travel, and food services industries. The goal is to determine whether these apps are complying with consumer opt-out requests and do not sell or share requests under the CCPA. The investigation will also focus on the apps’ failures to process consumer requests submitted through an authorized agent under the CCPA. For example, Consumer Reports’ app, Permission Slip, acts as an authorized agent for consumers to submit requests under the CCPA such as opt-outs and deletion requests.

Attorney General Rob Bonta said in the office’s recent press release, “[B]usinesses must honor Californians’ right to opt out and delete personal information, including when those requests are made through an authorized agent. [The] sweep also focuses on mobile app compliance with the CCPA, particularly given the wide array of sensitive information that these apps can access from our phones and other mobile devices. I urge the tech industry to innovate for good — including developing and adopting user-enabled global privacy controls for mobile operating systems that allow consumers to stop apps from selling their data.” Businesses that are subject to the CCPA – and the newly effective amendments under the California Privacy Rights Act (CPRA) – should continue to update and implement their policies, procedures, and processes to ensure compliance with the requirements of these regulations and to hopefully avoid being caught up in this investigative sweep.

The more one uses and shares on social media, the more information is publicly available for cyber attackers to use to exploit users’ personal and professional information.

It is hard for people to realize that every single thing shared on any social media platform is available for friends and foes alike to access and use. It is the detrimental use by criminals that is the concern and subject of this post.

A recent blog post by ISACA author Allen Ari Dziwa provides a great example of how seemingly innocuous posts on social media can turn into a CEO’s nightmare. In the example, the CEO receives an email from his “wife” about a recent golf trip. Since the CEO sees it is from his “wife,” a familiar source of emails, his guard is down, and he doesn’t check to see if it is a malicious phishing email. The result: he clicks on the link provided in the spoofed email and introduces malicious malware into his company’s network.

Social engineering is not a difficult thing to accomplish in just a few short minutes. It is scary to see how easy it is to spoof someone and by using familiarity, trick someone else into believing it is the person who is being spoofed.

Be wary of the information shared on social media and how it can be used by criminals to conduct social engineering scams.

The Federal Trade Commission (FTC) announced on February 1, 2023 that it has settled, for $1.5M, its first enforcement action under its Health Breach Notification Rule against GoodRx Holdings, Inc., a telehealth and prescription drug provider.

According to the press release, the FTC alleged that GoodRx failed “to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.”

In the proposed federal court order (the Order), GoodRx will be “prohibited from sharing user health data with applicable third parties for advertising purposes.” The complaint alleged that GoodRx told consumers that it would not share personal health information, and it monetized users’ personal health information by sharing consumers’ information with third parties such as Facebook and Instagram to help target users with ads for personalized health and medication-specific ads.

The complaint also alleged that GoodRx “compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles. GoodRx then used that information to target these users with health-related advertisements.” It also alleges that those third parties then used the information received from GoodRx for their own internal purposes to improve the effectiveness of the advertising.

The proposed Order must be approved by a federal court before it can take effect. To address the FTC’s allegations, the Order prohibits the sharing of health data for ads; requires user consent for any other sharing; stipulates that the company must direct third parties to delete consumer health data; limits the retention of data; and implement a mandated privacy program. Click here to read the press release.

While plaintiffs’ attorneys were initially focused late last year on suing health care entities for using Pixel and other tracking technology to share information about website users with social media platforms such as Meta (formerly Facebook), they are now eyeing other industries, including the fast food industry.

This week, a class action complaint was filed in the Northern District of California against Chick-Fil-A, Inc. for data harvesting and targeted advertising without users’ consent.

According to the Complaint, Chick-Fil-A violated the Video Privacy Protection Act of 1988 when it deployed the Facebook Tracking Pixel “to identify a user’s video-watching behavior.” The complaint details how the Meta Pixel is used, which is educational in and of itself. According to the complaint, “Given the nature of Defendants’ business, visitors would be shocked and appalled to know that Defendants secretly disclose to Facebook all of the key data regarding a visitor’s viewing habits.”

New state privacy law requirements going into effect in 2023 will prompt more and more businesses to include pop-ups on websites asking customers whether they want to allow cookies or other tracking technology to be used while they visit a site. Before clicking “I accept,” research a bit how cookies, pixels, and other tracking technologies are used and make an educated choice on whether to consent to the use of trackers or to set your own preferences. If you click “I agree,” you shouldn’t complain later about how detailed the tracking is, or how shocking or appalling it seems.

The California Privacy Protection Agency (CPPA) Board will hold its third public hearing on February 3, 2023, at 10 am PST.

The meeting will open with the Chairperson’s Update, during which CPPA Chairperson Jennifer Urban will likely address the status of the delayed California Privacy Rights Act (CPRA) regulations. Chairperson Urban is also a Clinical Professor of Law, the Director of the Samuelson Law, Technology & Public Policy Clinic, and the Co-Director of the Berkeley Center for Law and Technology at the UC Berkeley School of Law. Hopefully, we will see further guidance on the technical requirements of the CPRA and the implementation standards.

Long-awaited amendments and the possible adoption of final CPRA rules are on the agenda. The agenda includes preliminary rulemaking activity for new regulations on risk assessments, cybersecurity audits, and automated decision-making. The fact that the CPPA is undertaking other rulemaking activities may indicate that the Board hopes to adopt the final CPRA regulations at this meeting. Fingers crossed. Members of the public can join the meeting on Zoom.

Members of the public attending will be given the opportunity to comment on each agenda item before any Board action. To view the agenda and learn more about how you can attend, click here

On January 22, 2023, T-Mobile was sued in federal court in California alleging negligence, unjust enrichment, breach of express contract, breach of implied contract, and invasion of privacy over the recently-disclosed data breach of more than 37 million postpaid and prepaid customer records.

According to the complaint, the plaintiff was informed just two days before suit was filed that information belonging to her and other class members was “accessed and acquired by the unauthorized actor” and that class members “are at imminent risk of identity theft.”

On the other hand, T-Mobile has stated in a recently filed Form 8-K that the threat actor obtained data through a single API (application programming interface), that the company discovered and stopped it within one day, and that the threat actor was unable to compromise its systems or network. Significantly, T-Mobile stated that the data accessed by the bad actor did not include any financial information or Social Security numbers. Instead, the data accessed included customers’ “names, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”

Based on the facts presented by T-Mobile, we expect that the company will vigorously defend the suit and a motion to dismiss the complaint will be forthcoming. There is strong precedent that requires plaintiffs to prove substantial harm in order to withstand a motion to dismiss. No matter how this particular case plays out, what is astounding is the speed at which suits are filed after a data breach is announced, no matter the facts.

In response to a rash of employment offer scams, the Federal Trade Commission (FTC) recently issued a scam alert intended to educate job seekers so they can avoid being victimized.

Not only are individuals subject to these scams, but legitimate businesses are spoofed and used to conduct the scams and they only find that out after the fact. It is frustrating when your business name is used by a criminal to conduct fraud and you don’t know it’s happening, how it’s happening, or how to stop it.

How does an employment offer scam work? There are several ways, but one common way is for a fraudster to set up a fake website that spoofs a real business, or spoofs a recruiter from a legitimate business by copying their information from a social media platform.  Fraudsters use the website to offer jobs online, conduct interviews, and then “onboard” the victim. During the “onboarding” process, the fraudster instructs the victim to insert their personal information, including Social Security number, bank account information (all supposedly used to set up payroll) into an online form, or may ask that they purchase certain equipment before starting the job, for which the applicant will be reimbursed once they start the job. If you are searching for a job in the new year, be wary of job offer scams. Check out these tips from the FTC.

Israeli cybersecurity firm Hudson Rock has reported that the email addresses of more than 235 million Twitter users have been stolen and posted by more than one hacker on an online hacking forum. According to the security researcher’s Twitter posts, the compromise “is real and has an impact on almost every Twitter user. The database is likely circulating pretty heavily and will unfortunately likely leak in the near future.”

The original offering was posted by threat actor “Ryushi.” The offering was expanded by other threat actors to include telephone numbers of some users as well. According to Hudson Rock’s LinkedIn post, the compromise “will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

In response to Hudson Rock’s report, Twitter issued a statement on January 11, 2023, that “based on information and intel analyzed to investigate the issue, there is no evidence that the data being sold online was obtained by exploiting a vulnerability of Twitter systems.” Twitter suggests that users enable two-factor authentication and “remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns.”

Twitter users should be aware of the report of this compromise and be on high alert for spearphishing and doxxing. (Doxxing explained.)

Readers of this blog know that we’ve been closely following the California Privacy Rights Act (CPRA) rulemaking process. California passed the law in 2020 to update the California Consumer Privacy Act of 2018 with additional consumer rights and business obligations. The CPRA also established a new government agency, the California Privacy Protection Agency (CPPA), responsible for enforcing the law and drafting regulations.

Unfortunately, writing detailed regulations while balancing the work of breaking ground on a new agency has most likely overwhelmed the CPPA. The CPRA is now effective as of the first of the year, and businesses are still working on compliance and implementation from the proposed regulations. While much of the draft regulations are likely to remain the same, there are some technical compliance points that companies have to figure out without explicit guidance.

For example, the proposed regulations require businesses to treat “Do Not Track” browser signals as opt-out requests from the consumer. However, processing a “Do Not Track” signal differs from processing specific CPRA data requests. Typical CPRA requests include the consumer’s name and contact information, which the business can check against its records. “Do Not Track” signals only come bundled with specific technical identifiers (such as IP address and operating system) that aren’t necessarily associated with a consumer in the business’s records. The conditions change again when the consumer is known to the industry and has opted into tracking, making the technical aspects of compliance even more complicated. Companies will need to develop a strategy to address this requirement (unaided by an industry standard for responding to “Do Not Track” signals.) Faced with the January 1 deadline for CPRA compliance, the industry is now hewing as close to the EU’s General Data Protection Regulation (GDPR) controls and implementation as possible. The CPPA may continue to let the standard develop parallel to the GDPR as the path of least resistance for both businesses and regulators.