Another day, another governmental entity hit with a ransomware attack. If you are a resident of Bernalillo County, New Mexico, and you need a marriage license, want to conduct a real estate transaction or register to vote, you might be told there is “no access to systems and no legal filings are possible” due to a cybersecurity “issue.” But you CAN still pay your taxes, as no extension is being given, despite the cyber event.

According to the Albuquerque Journal, the County announced on January 5, 2021, that it was a victim of a cyberattack that affected “a wide variety of county government operations. Most county buildings were closed until further notice.”

Not only was the clerk’s office closed for certain business transactions, but the County also filed an emergency notice in federal court that it was unable to comply with terms of a settlement involving conditions at the County jail because the ransomware attack knocked out access to the jail’s security cameras. As a result, all inmates were limited in how much time they could spend outside their cells, and their access to telephones and tablets was reduced. According to the article, the facility has been “on ‘lockdown’ since Wednesday.”

Court systems were disrupted as well, and personnel scrambled to set up alternate plans to “allow criminal proceedings to continue in the face of this unforeseen event.”

Ransomware attacks against local governmental entities are frequent and very disruptive to residents of that state, county, or municipality. And it does not look like the pace of attacks against local governments will ease any time soon.

New Mexico’s Attorney General, Hector Balderas, continues to champion children’s online privacy protections, this time settling with Google over alleged violations of the Children’s Online Privacy Protection Act (COPPA).

We previously reported that the AG sued Rovio Entertainment, the maker of Angry Birds, alleging that it violated COPPA by collecting data on players under the age of 13 and disclosing that information to advertisers.

General Balderas is on a roll, having just announced a settlement of two lawsuits against Google for violations of COPPA. The lawsuits were filed in 2018 and alleged that Google (and other tech companies) collected personal information from children under the age of 13 when they downloaded free games from Google Play.

The settlement requires Google to pay $3.85 million to create the “Google New Mexico Kids Initiative,” which will promote privacy, education, and safety for children in New Mexico. According to AG Balderas, “There are incredible risks lurking online and we should do everything we can to protect the privacy of children. I’m pleased that we demanded Google put the safety of our school children first and that we’re able to partner with Google in our shared commitment to innovation and education, putting these funds where they can do the most good.”

For its part, in addition to creating the Kids Initiative, Google has agreed to provide school administrators with tools to assist students with protecting their personal information and to actively police app developers so they do not collect information from children under the age of 13 without parental consent.

The New Mexico AG is making a name for himself in the area of children’s privacy. We will keep following his progress and see if any other AGs follow his lead.

Governor Susana Martinez recently signed into law the New Mexico “Data Breach Notification Act” (the Act), making New Mexico the 48th state (plus Puerto Rico and the District of Columbia) to adopt legislation mandating the provision of notice in the event of a data breach.

The Act – which takes effect June 16, 2017 – requires persons that own or license personal identifying information of New Mexico residents to notify each resident whose personal identifying information is reasonably believed to have been subject to a security breach. The Act also implements security standards for the use, storage and disposal of personal identifying information by such persons. The Act includes the following important definitions: Continue Reading New Mexico Enacts Data Breach Notification Law

On April 8, the Montana legislature sent its new social media law to the Governor for signature and on March 23, Virginia passed legislation prohibiting an employer from requiring, requesting, or causing a current or prospective employee to disclose his or her username and password of social media accounts or requiring an employee to obtain the username and password or other access to a current or prospective employee’s social media account. These two states have joined 17 others that contain similar prohibitions.

Connecticut and West Virginia failed to pass similar social media legislation earlier this month, and Mississippi and Wyoming rejected their proposed legislation in February.

Last year, approximately 28 states considered social media legislation that in general, prohibited employers access to social media accounts, but only 7 states were successful in enacting laws on the subject matter, including Louisiana, Maine (which authorized a study into the issue), New Hampshire, Oklahoma, Rhode Island, Tennessee, and Wisconsin. This brought the total number of states who have enacted such legislation to 17, as 10 states (Arkansas, Colorado, Illinois, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont (authorizing a study), and Washington) enacted social media legislation in 2013.

 

Employers doing business in these 19 states may wish to review the statutory prohibitions with counsel, and employers in the other states—keep watching social media legislation as your state is probably not far behind. Whether your state prohibits access to social media accounts of your employees or prospective employees through statute or not, this is an area that warrants caution.

As a former Assistant Attorney General, I have a soft place in my heart for Attorneys General as consumer protection advocates. Most state AGs have the primary jurisdiction to enforce compliance with consumer protection laws in their states. Some are more aggressive than others, such as New Mexico Attorney General Hector Balderas, who recently sued Rovio Entertainment, the maker of Angry Birds, alleging that Rovio violated the Children’s Online Privacy Protection Act (COPPA) by collecting data on players under the age of 13 and disclosing it to advertisers.

According to Balderas’s allegations, Rovio monetizes children by collecting data while they are playing Angry Birds and uses the data for targeted advertising, also known as behavioral advertising.

Although the case is in its infancy, it is a reminder to parents, grandparents, and caretakers of children under the age of 13 that there are laws in place that require consent of parents or guardians of minors under the age of 13 for the collection of their data during their online activity. If you are a caretaker for a child under the age of 13, whether you are a parent or otherwise, it is important to keep track of the consents given in the past, or when you give consent for the child to use an online platform, such as a game. The consents are there as protections for children’s information and the use and sale of it. Laws such as COPPA have been enacted by Congress for the protection of children, but if parents and other caretakers are not paying attention and availing themselves of the protection, they may unwittingly fail to protect the child’s data.

Before giving consent for a child to use an online platform that collects, uses, or sells their data, read the online platform’s privacy policy to see what they are doing with the data. Do you agree with how they are sharing your child’s online activity data? Are they selling it?

If you have already given consent and your child uses an online platform frequently, go back and read the privacy policy to see if it has changed or if you still agree with it (or read it for the first time). Talk to your child about online activity and how their information is being collected, used and sold. Educate your child about the consequences of online activity.

Although AGs do their best to protect all of us as consumers, we can’t rely on them alone. We have to take responsibility to protect ourselves and our children from harm, including harm associated with online activity.

As the use of unmanned aerial systems (UAS or as they are more commonly called, drones) continues to rapidly increase as technology continues to develop, more and more industries will utilize UAS in their day-to-day operations, including the oil and gas industry. Initially, UAS were mainly used in the oil and gas industry for conducting inspections, but now, UAS are becoming part of the fabric of the industry. UAS are now used for a variety of tasks from monitoring pipelines to providing assistance during oil spills. UAS are more efficient than previously used techniques and can also offer an element of safety by removing people from potentially dangerous missions.

When the oil and gas industry conducts maritime missions in the water, UAS are used for surveying and inspections including structural surveys, pipeline inspections, bottom debris surveys and sub-sea facility inspections. Aerial missions in the oil and gas industry using UAS are also becoming more common. UAS are being used to conduct flyovers in oilfields of Alaska and monitor oil and gas production in New Mexico. UAS can even be used to detect oil and gas leaks which may lead to less catastrophic events involving the oil and gas industry, and save the environment from the hazardous effects of oil and gas spills.

While UAS currently hold a valuable position in the oil and gas industry, it is likely that UAS will have an even bigger place going forward.

The Office for Civil Rights (OCR) has announced that it has entered into a settlement with St. Joseph Health, which operates hospitals and nursing homes in California, Texas and New Mexico, for $2.14 million for alleged HIPAA violations.

St. Joseph Health notified the OCR on February 14, 2012, of a data breach involving the protected health information of 31,800 patients when one of its servers included a file sharing application that used default settings and allowed access to the information through the internet in 2011 and 2012. According to the press release, the information was available through internet search engines during that time frame.

The files were pdf files that included the names, health status, diagnosis and demographic information of the patients.

The OCR noted that although St. Joseph Health hired contractors to assess risks and vulnerabilities of ePHI on its system, those assessments “did not result in an enterprise risk analysis.” According to the OCR, the security risk assessment was conducted in a “patchwork fashion and did not result in an enterprise-wide risk analysis.” Unfortunately, there is no further information on what the OCR means by this statement or what type of security risk assessment it deems sufficient.

In addition to the fine, St. Joseph also entered into a Corrective Action Plan with the OCR.

This week (May 8-12, 2017) is Privacy Awareness Week—an annual initiative of the Asia Pacific Privacy Authorities Forum (APPA) that concentrates on sharing information about privacy practices and rules.

The APPA is an interesting group made up of privacy regulators from Australia, British Columbia, Canada, Colombia, Hong Kong, Japan, Korea, Macao, Mexico, New South Wales, New Zealand, The Northern Territory, Peru, Queensland, Singapore, the United States (both the Federal Communications Commission and the Federal Trade Commission are included), and Victoria. It has been in existence since 1992 (way before privacy became such a huge issue with the Internet), and they meet twice a year to “form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.” What a brilliant idea…

This year’s theme for Privacy Awareness Week is “Care When you Share,” and APPA is “encouraging individuals to care about their privacy and better inform themselves of what will or might happen to their personal information before they share it” as well as better educating employees of governmental agencies to understand their responsibilities with others’ personal information and to basically respect it and treat it as their own.

APPA and its members have distributed great resources for Privacy Awareness Week, including posters with the theme “Pause for Privacy,” a Quickguide for CIOs, a guide on “How to Embed and Support a Culture of Privacy,” and guides for the sharing of information between governmental agencies.

So embrace Privacy Awareness Week and “Share with Care.” Pause before you click “I agree.” Think twice before you give your Social Security number to someone or enter all of your personal information into a website form. These are all previous Privacy Tips from this blog, but it is always good to revisit them—especially when the theme of Privacy Awareness Week is “Share with Care.”

Cybersecurity specialists at BAE Systems and Symantec announced last week new evidence suggesting that the criminals behind the notorious 2014 attack on Sony Corp. are also responsible for recent cyber-attacks involving 104 organizations in 31 countries. Researchers and investigators have long attributed the 2014 Sony attack, which crippled computer systems and revealed internal emails, to the North Korea-linked group known as “Lazarus.” Malware recently discovered running on the computers of a Polish bank suggest that the Lazarus group is now targeting global financial institutions using a sophisticated “watering hole” technique. Continue Reading Sony Cyber-Attackers Lurking at Financial Supervisor “Watering Hole” Target Banks and Others