CCPA 2.0 May Be Heading for the November Ballot in California

The consumer group Californians for Consumer Privacy announced on May 4, 2020, that it was submitting well over 900,000 signatures to qualify the California Privacy Rights Act (CPRA) for the November 2020 ballot.

This new ballot initiative, which can be reviewed here, creates some additional consumer privacy rights and expands some areas already included in the California Consumer Privacy Act (CCPA) regarding consumer privacy rights, including:

  • A new definition of sensitive personal information, including information about health, finances and a consumer’s precise geolocation;
  • a right of correction to allow California residents to request that a business correct personal information that is inaccurate;
  • increased administrative fines of not more than $2,500 for each violation or $7,500 for each intentional violation involving the personal information of consumers whom the business, service provider, contractor or other person has actual knowledge is under 16 years of age;
  • the creation of a new enforcement agency – the California Privacy Protection Agency – to enforce consumer privacy actions; and
  • changes to the private right of action, including a private right of action for personal information security breaches if the email address of a California resident – in combination with a password or security question and answer – is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.

One of the stated purposes of the CPRA is that consumers should know who is collecting their personal information and that of their children, how that information is being used, and to whom it is being disclosed, so consumers will have the information necessary to exercise meaningful control over a business’ use of their personal information and that of their children. We will continue to follow the CPRA to track its progress.

Financial Services Information Sharing Group Warns of Increased Phishing Attacks

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has warned that financial services firms, and in particular smaller ones, are being attacked at an increased rate during the coronavirus pandemic.

According to FS-ISAC, phishing attacks against financial services firms increased by one-third in the first quarter of 2020. In that time period, FS-ISAC identified more than 1,500 websites using pandemic-related lending programs as bait to fool people into disclosing personal information. Although they were taken down, new ones appear in their place, much like Whack-a-Mole.

With bank, credit union and other financial service company employees working from home, additional precautions are necessary to combat the attacks. FS-ISAC rolled out a chat feature to assist financial service companies in identifying and responding to cyber attacks. With the knowledge that they are being targeted, financial services firms can warn, educate and assist their employees to help prevent them from becoming victims of these increased attacks.

Drone Pilot Boot Camp and FAA Part 107 Exam Prep – Is It for You?

Three companies – HeatSpring, Little Arms, and Unmanned Experts – joined forces to create a “Drone Pilot Boot Camp + FAA Part 107 Exam Prep.” This new offering is an unmanned aircraft commercial operations course designed specifically for engineering, construction and renewable energy firms. The course has been developed over the past few years by a former combat pilot for the British Royal Air Force in tandem with leaders in drone technology and software.

One of the keys to this new course offering is logging flight time. The course includes training on Zephyr drone simulation software, which works across any platform and allows the instructors to review student progress and provide coaching to each individual student pilot. The idea behind the course is that the unmanned aircraft systems (UAS) industry is a constantly changing place, which requires effective and standardized training to help drive the industry forward.

While the course has a focus on engineering, construction and renewable energy firms, it is available for anyone who wants to become a drone pilot. The next course begins in April 2020. Check it out: https://www.heatspring.com/courses/drone-pilot-boot-camp-part-107-exam-prep.

Privacy Tip #238 – Coronavirus Charity Scams

I think that people in general are decent and good. There are always some bad apples, but during crises most people want to help others. During the coronavirus pandemic, many people are doing everything they can to help others, including assisting neighbors, family members, friends and health care workers. Charitable organizations have stepped up to assist those in need during the crisis as well. Generous people donate to charitable organizations to assist in their efforts. This is where the bad apples come in.

Bad apples know that most people are decent and good. They know people want to help others, and that people are generous and kind. And the bad apples take advantage of the goodness of others. During a crisis, like the one we are in now, bad apples spend every day trying to figure out how to do just that.

Coronavirus charity scams are such a problem that the Federal Trade Commission (FTC) issued a scam alert this week warning individuals to be careful about their charitable donations during this time and to confirm that they are giving to real organizations and not scammers.

According to the FTC Alert:

“No one wants their Coronavirus donation to go to a scammer, so before you give, do some research.

  • Search online for the charity’s name and the words “scam” or “fraud.”
  • Review ratings of the charity by these organizations.
  • Check the charity’s registration status with your local charity regulator. Are they registered to take donations in your state?

“Here are other things you can do to make sure a scammer is not taking advantage of your generosity:

  • Donate using a credit card. It’s the safest way to donate. Never donate by giving out gift card numbers or using a wire transfer. If someone asks you to donate that way, you can be sure it’s a scam.
  • Double check the name of the organization. Many fake charities try to trick you by using names similar to those of well-known organizations, but with one word different or a misspelled.
  • Ask lots of questions. What’s the charity’s website, address, and mission? How much of my donation will go to the program I want to help? How many people does the charity help, and how? If helping your community is important to you, ask how the charity spends money in your area. If you get vague answers, find another way to help.
  • Confirm that your donation will be tax deductible, if that’s important to you. Use the IRS’s Tax Exempt Organization Search to check. Know that donations to individuals are not tax deductible.
  • Don’t assume a donation request on social media is legitimate just because a friend liked it or shared it. Do your own research. Call your friends or contact them offline to ask them about the post they shared.

“Visit ftc.gov/charity for more tips on donating wisely. If you see a charity scam, report it at ftc.gov/complaint. Your report helps stop scammers and alert others about them.”

Sound guidance from the FTC to help ensure that our donations go to the causes we care about and we are really helping others.

Adult Streaming Site Leaves 7TB of Users’ Information Unsecured

Live adult streaming website CAM4 has reportedly not secured 7TB of users’ information, which may be able to be used for blackmail and identity theft purposes, according to researchers from Safety Detectives.

According to reports, CAM4 users pay to watch live streamed explicit adult content from consenting amateur performers who film themselves and post the content for users’ view. CAM4 reportedly stored the content on a misconfigured and unsecured cloud database that allowed information of millions of users to be accessible without security measures in place.

According to the researchers, the unsecured database included almost 11 billion records, including 11 million emails. The information potentially accessible included users’ first and last names, country of residence, sexual orientation, chat and email transcripts, IP addresses and inter-user conversations. Several hundred users’ full names, credit card types and payment amounts may also have been compromised.

This compromise is reminiscent of the Ashley Madison incident that took place several years ago. The obvious risk in this incident, as with the Ashley Madison incident, is the possibility that cybercriminals can leverage the data leak to try to blackmail users to obtain money for a promise not to expose the individual’s use of the live streaming site to loved ones or the world at large.

ExecuPharm Data Stolen in Ransomware Attack Published on Internet

In a growing trend, pharmaceutical company ExecuPharm became the victim of a ransomware attack on March 13, 2020, by the CLOP ransomware group, which exfiltrated its data and then posted it on the Internet. Apparently, ExecuPharm didn’t pay the ransom, and then paid the price anyway by having its data compromised and posted by the ransomware group.

ExecuPharm reported to the Vermont Attorney General that the ransomware attack compromised Social Security numbers, financial information, drivers’ license information, passport information and other sensitive data.

It is being reported that the information CLOP posted on the Internet included emails, financial and accounting records and database back-ups. There is presently no known decryption tool for the CLOP ransomware.

Shade Ransomware Group Shuts Down

Some good news in the ransomware world, which is so rare these days.

The Shade (Troldesh) ransomware group has retired and is shutting down. When do you ever hear that a ransomware group is shutting down? According to reports, Shade has publicly announced that it is retiring (apparently it has made enough money to do so) and is releasing 750,000 decryption keys for victims to get their data back.

Kaspersky Lab is reported to be developing a tool to assist with the decryption for those who have files that were decrypted in the past. If businesses were affected by Troldesh and still have the database that was encrypted, they may be able to use the tool to decrypt and recover the data that were lost.

In retiring, Shade said “We apologize to all the victims of the trojan and hope that the keys we published will help them to recover their data.” But they aren’t returning all of the money that they stole from victims.

Small Business Administration Loan Portal Compromised

Following the devastating impact of the coronavirus on small businesses, many small businesses applied for a disaster loan through the Small Business Administration (SBA) for relief.

Small businesses that qualify for the disaster loan program, which is different than the Paycheck Protection Program offered by the SBA, can apply for the loan by uploading the application, which contains their personal information, including Social Security numbers, into the SBA portal www.sba.gov.

Unfortunately, the SBA reported last week that 7,913 small business owners who had applied for a disaster loan through the portal had their personal information, including their Social Security numbers, compromised, when other applicants could view their applications on the website on March 25, 2020. On top of the turmoil the businesses have experienced from closure, owners now have to contend with potential personal identity theft.

The SBA has notified all affected business owners and is offering them free credit monitoring for one year. The notification letter indicates that the information compromised included names, Social Security numbers, birth dates, financial information, email addresses and telephone numbers.

If your business applied for a disaster relief loan and your personal information was compromised in the incident, you will receive notification from the SBA, which is recommending that you sign up for the free credit monitoring being offered.

Privacy Tip #237 – Nintendo Users: Change Your Password and Enable MFA

Nintendo has shut down some NNID logins and has told Switch owners to lock down their accounts following a series of fraudulent attacks. Nintendo has confirmed that it suffered an attack by hackers who accessed some accounts and are using PayPal accounts linked to the accounts to purchase items fraudulently.

According to Nintendo, approximately 160,000 accounts have been compromised, including users’ nicknames, email addresses, gender, and dates of birth. Some PayPal accounts have apparently been compromised as well.

Nintendo is urging customers to enable two-factor authentication on their accounts and has agreed to refund any fraudulent purchases made during the incident.

If you are a Nintendo user, heed Nintendo’s guidance and lock down your account and enable multi-factor authentication going forward.

New York Department of Financial Services Issues Guidance Regarding Heightened Cybersecurity Awareness During COVID-19 Pandemic

The New York Department of Financial Services (DFS) recently issued guidance to its regulated entities regarding heightened cybersecurity awareness as a result of the COVID-19 pandemic. DFS described three primary areas of heightened risk during this time: remote working, increased instances of phishing and fraud, and third-party risks.

With respect to remote working, DFS noted several areas of risk created by the shift to remote working. The prospect of more remote workers means additional security risks for all businesses. The DFS guidance focused on reminding regulated entities to use secure connections for remote workers – including the use of multi-factor authentication and VPN connections – to use secure wireless devices, and to provide guidance to employees regarding the secure use of wireless devices and other remote video conferencing tools.

DFS noted that there has been a significant increase in online fraud and phishing attempts and stated that the FBI has reported the use of fake emails purporting to be from the Center for Disease Control and Prevention (CDC), looking for charitable contributions or offering COVID-19 relief checks. DFS stated, “Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity.”

The third area DFS focused on was third-party risks. DFS suggested that regulated entities should coordinate with critical vendors to determine how they are adequately addressing new risks.

Finally, DFS issued a reminder that under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest.

LexBlog