Staying current with Microsoft’s monthly patches is challenging, yet critical for one’s cybersecurity program. This week, Microsoft’s November Patch Tuesday released 55 patches, six of which were categorized as “critical,” four were previously disclosed (which means that cyber criminals may already be exploiting them), and two are being exploited now. Plugging all of these vulnerabilities should be a high priority for your security teams.

The vulnerabilities being exploited by cyber criminals now include one that allows remote code execution to Microsoft Exchange Server; the other involves bypassing a security feature in Microsoft Excel.

For a complete list of the vulnerabilities, the patches and what to do about them, the Sans Internet Storm Center outlines them well in its monthly summary, which can be accessed here.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a Binding Operational Directive requiring all federal agencies to apply patches to new and old vulnerabilities that are being exploited in the wild.

The Directive, entitled Reducing the Significant Risk of Known Exploited Vulnerabilities, “establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise…and establishes requirements for agencies to remediate any such vulnerabilities included in the catalog.”

The Directive applies “to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. These required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”

The listed required actions include some that must be implemented no later than November 17, 2021, and others before May of 2022. A summary of the Directive can be accessed here.

The U.S. District Court for the Northern District of California dismissed a consumer class action against Ledger SAS’s e-commerce vendor Shopify Inc. because of its locale – Shopify is headquartered in Ottawa, Canada. Judge Edward M. Chen said in his decision earlier this week that the plaintiffs failed to satisfy their burden to demonstrate that Ledger “purposefully directed” its activity at California, or that the plaintiffs’ claims “ar[ose] out of” Ledger’s California-related activities.

The class action alleged that Ledger violated state consumer protection laws when it suffered two separate data breaches of information about customers  who bought Ledger cryptocurrency wallets through Shopify’s platform between July 2017 and June 2020. The first breach was a result of rogue Shopify employees who exported data from the company, including customer records. The second breach was the result of hackers who gained access to 1 million customers’ email addresses and 9,500 customers’ contact information.

However, the court found that it lacked both general jurisdiction and specific jurisdiction over Ledger/Shopify. The court said in its decision, “Plaintiffs argue that the Court has general jurisdiction over Shopify, but concede that Shopify is neither incorporated in California (it is a Delaware corporation), nor is California Shopify’s principal place of business (Shopify USA’s principal place of business is Ottawa, Canada). Instead, to support their contention that the Court has general jurisdiction over Shopify, Plaintiffs observe that Shopify previously listed San Francisco, CA as its principal place of business since 2014, including, allegedly, during the time period that the data breach took place in 2019.” This was not enough to establish general jurisdiction.

The court also noted in its decision, “The placement of a product into the stream of commerce, without more, is not an act the defendant purposefully directed toward the forum state,” and therefore, again, the plaintiffs’ argument was not enough to establish specific jurisdiction either.

The court found that it did not have personal jurisdiction over a French company with a Canadian subsidiary, even though it collected and maintained (and breached) U.S. residents’ data. Read the full decision here.

An apparent email snafu has led to the filing of a putative class action against the Phoenix Children’s Hospital. The allegations stem from an email that was allegedly sent out to 368 people that outlined the protocols for employees with approved COVID-19 vaccine exemptions. The email set forth the protocols related to accommodations for such unvaccinated employees. The complaint, filed in Superior Court in Maricopa County, Arizona, sounds in two counts: invasion of privacy and negligent disclosure of medical information. The complaint presents itself as a state-law class action on behalf of all persons whose exemption status was allegedly disclosed by the hospital.

The complaint also alleges that the email disclosed private information about plaintiffs; i.e., “whether they applied for, and received, a medical or religious exemption to COVID vaccination.” According to the complaint, the list of affected employees was also shared on social media.

The hospital released a statement to the media explaining, in part, that “[i]n the process of communicating internal safety protocols related to [workplace] accommodations,  the employee distribution list for one email message was inadvertently visible, instead of blind carbon copying the recipients. Since learning of our administrative error, we immediately informed affected employees of the error, extended our sincere apologies and explained that efforts had been taken to avoid similar mistakes in the future.”

I’m on vacation this week, and while most people read novels while on vacation, I catch up on data privacy articles and publications that I have set aside and haven’t had a chance to read. I just finished one that I thought was a quick and good summary of current data privacy issues entitled 5 Important Data Privacy Issues for 2020 by Zach Capers of GetApp.

The five issues he outlines are: 1) Hashing out the encryption debate; 2) Facial recognition attracting scrutiny; 3) Location tracking leading to concerns; 4) Watching out for smart surveillance tech; and 5) Enactment of new data privacy laws.

I won’t steal his thunder on telling you the rest—take a look yourself. It is a good, quick summary of these thorny issues to get you thinking so you’ll delve deeper into them. The article can be accessed here.

The Federal Trade Commission released a new enforcement policy statement on October 28, 2021, targeting the practice known as “Negative Option Marketing.” Negative Option Marketing is the practice of taking consumers’ silence as tacit consent in various circumstances, including automatic subscription renewals and free-trial marketing. In the statement, the FTC outlined four general requirements for companies soliciting consumer consent:

  1. Sellers must give “clear and conspicuous disclosure” of the terms of the policy or offer, key terms such as the company’s intent to use silence as consent, the offer’s total cost, and how to cancel or withdraw consent.
  2. Sellers must disclose these terms before soliciting consumer consent.
  3. Sellers must obtain customers’ express informed consent.
  4. Sellers must not impose “unreasonable” barriers to cancellation or withdrawal of consent.

This new policy could be a sign that the FTC will begin cracking down on so-called “dark patterns,” wherein companies use dishonest means to trick customers into signing up for services or agreeing to policies. While sellers taking advantage of unsophisticated customers is not a new phenomenon, dense terms of service agreements and complex software installation processes pose an additional risk to consumers in the digital marketplace. Additionally, this policy may signal a new willingness to sanction related practices such as pre-checking boxes in software installation wizards to install unwanted bloatware in conjunction with the desired software. Sellers may wish to consider examining their opt-out forms and get out ahead of this next wave of enforcement actions.

This post was co-authored by Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law.

The FBI issued a Private Industry Notification on November 2, 2021, warning companies that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”

According to the Notification, ransomware actors are researching publicly available information to pick targets they believe may be looking for M&A activity or other “time-sensitive financial events,” and then using Trojan malware to provide reconnaissance to determine “how to best monetize the access.” During the reconnaissance, they have access to non-public information about plans and strategies that would be detrimental to the financial event if publicized. The threat actors then attempt to extort money from the company to not publish the data that could “affect a victim’s stock value.”

The Notification cites examples of how the scheme works, including that three publicly traded U.S. companies  actively involved in mergers and acquisitions “were victims of ransomware during their respective negotiations…two of the three were under private negotiations.”

The FBI’s recommendations include:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data are not accessible for modification or deletion from the system in which the original data reside.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts, and do not click on unsolicited attachments or links in emails.
  • Implement “least privilege” status for file, directory, and network share permissions.

 The Notification can be accessed here.

The Facebook company now known as Meta announced this week that it is shutting down the Face Recognition system on Facebook.  Meta stated that this is part of a company-wide move to limit the use of facial recognition technology in its products. What does this mean? If you have a Facebook page and you previously opted-in to be automatically recognized in photos and videos on Facebook, this feature will be disabled. Meta also announced that it is deleting more than a billion people’s individual facial recognition templates.

Meta claims in a press statement released this week that it needs to “weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.”  Although Meta doesn’t elaborate on what the details are of the growing societal concerns, the company states that it seeks to move toward narrower forms of personal authentication.

Coveware recently issued its 2021 Q3 Ransomware blog article, which notes that ransomware attackers are “moving away from big game hunting” and are moving to the middle market. According to the post, “Middle market companies that are not systemically important may not offer up the largest ransoms, but are more cost effective to attack and may still provide a sizable payment if the company is caught without the proper defenses and backup assets.”

Coveware found that professional services companies saw the most ransomware events in Q3 2021, followed by the public sector, and then health care. The top three ransomware variants were Conti v.2, Mespinoza, and Lockbit 2.0. The most used attack vectors continue to be remote desktop protocol compromise, email phishing, and software vulnerability. The most used tactics, techniques and procedures used by the cybercriminals during the attack include: 1) Credential Access; 2) Lateral Movement; 3) Defense Evasion; 4) Persistence; and 5) Discovery.

Although the average ransom payment in Q3 was similar to that of Q2, Coveware reported that 83.3 percent of all attacks included the exfiltration of data.

The statistics from Coveware’s research continue to be consistent with our experience, and underscore the importance of preparing for a ransomware attack, testing your incident response plan through a tabletop exercise, and completing your ransomware playbook.

IDTechEx, which provides market research on emerging technology, analyzed California Department of Motor Vehicles (DMV) autonomous vehicle collision reports. Per California regulation, every company testing autonomous vehicles in California must notify the state’s DMV of any collision. IDTechEx reviewed those reports, which cover about a two-and-a-half-year period. James Jeffs, IDTechEx’s technology analyst, said that “[i]t is not looking good for human drivers.”

Of 187 reports filed between 2019 and July 2021, 104 of the incidents were caused while in manual mode (i.e., the autonomous system was overridden by the human and the human was driving the vehicle themselves). Of the remaining 87 incidents, 83 accidents occurred while the autonomous vehicle was in fully autonomous mode, but only 2 of those collisions were caused by poor performance of the autonomous system itself (the other 81 incidents were caused by human error, either in another vehicle or a disobedient pedestrian). This means that 99 percent of the autonomous vehicle accidents during this period in California were caused by human error.

The majority of these incidents were rear-end collision accidents while in traffic or stopped. However, if both vehicles were operating autonomously, perhaps the accident would not have occurred; autonomous vehicles do not take unnecessary risks (e.g., overtakes another vehicle or runs stop signs), they devote 100 percent of their attention to driving ,and they do not flee from law enforcement. Therefore, human error actually makes it more difficult for autonomous vehicles to safely operate. Research and development activities in the autonomous vehicle space are ongoing; autonomous vehicles are not yet 100 percent reliable-and, likely, never will be.

While autonomous vehicles may be imperfect, they do have 360-degree perception, can communicate with each other in advance, and will not make senseless operational errors. As the technology gets better, and more autonomous vehicles hit the roads, humans may be taking a back seat to these operator-less vessels.