Welcome to the second edition of Troutman Pepper's Cyber Capsule, which recaps last month's noteworthy developments, including updates to reporting rules and cybercrime sharing, and other tidbits of information relating to cybersecurity. From a legislative standpoint, the trend of expanding definitions of personal information, preventing certain governments and agencies from paying ransom demands, and sharing information about attacks continues. We've also added a new section, "As the World Turns," to highlight some of the soap-opera-like comings and goings of ransomware groups.

Without further ado, the Cyber Capsule (Issue No. 2):

TIMING IS EVERYTHING

Proposed and Enacted Reporting Rules

1. Updates to Pennsylvania's Data Breach Rules On Hold. On June 15, SB 696 was laid on the table — meaning that it may now be considered at a later date. The bill proposed updating Pennsylvania's Breach of Personal Information Notification Act by (1) modifying the definition of "personal information" to include certain health insurance and medical information, as well as online usernames and passcodes; and (2) requiring certain agencies, state agency contractors, school districts, counties, and municipalities to comply with strict seven-day reporting requirements.

2. Florida Law Requires Agencies and Local Governments to Report Ransomware Incidents Within 12 Hours and Prohibits Payment of Ransom Demands. On June 24, Florida Governor Ron DeSantis (R) approved HB 7055, which requires state agencies and local governments to report ransomware incidents and high severity-level cybersecurity incidents to the Cybersecurity Operations Centers (CSOC) and the Cybercrime Office of the Department of Law Enforcement no later than 48 hours after discovering the cybersecurity incident and no later than 12 hours after discovering the ransomware incident. The act also prohibits certain entities from paying or otherwise complying with a ransom demand. The act takes effect July 1.

SHARING IS CARING

Swapping Cyber Intel

1. California Bill Requiring Agencies to Implement NIST's Federal Vulnerability Disclosure Guidelines Refers to Suspense File for Fiscal Analysis. On June 27, AB 581 was placed in the "suspense file" for review to determine the estimated cost of the bill. If passed, AB-581 would require state agencies to review and implement specified NIST guidelines (i.e., Draft NIST Special Publication 800-216) for, among other things, reporting, coordinating, publishing, and receiving information about a security vulnerability, no later than July 1, 2023.

2. Florida Agrees Sharing Is Caring — But Only to a Certain Extent. On June 24, Governor Ron DeSantis (R) approved AB 7057 to further expand the general public record exemptions for certain cybersecurity insurance information, critical infrastructure information, cybersecurity incident information, and certain cybersecurity-related information held by an agency. The act also provides an exemption from public meetings requirements for portions of a meeting that would reveal certain cybersecurity-related information held by an agency. The act takes effect on the same date that HB 7055 — mentioned above — or similar legislation will take effect.

AS THE WORLD TURNS

Ransomware Gang Rumblings

1. LockBit Ransomware Gang Introduces First Ransomware Bug Bounty Program. Yep — you read that right. With the release of LockBit 3.0, LockBit introduced the first ransomware bug bounty program, inviting "all security researchers, ethical and unethical hackers on the planet" to participate. The payment amount varies from $1,000 to $1,000,000, depending on the category of "bug" reported. In addition to offering rewards for reporting vulnerabilities, LockBit promises to pay for "brilliant ideas" on how to improve its site and software. Read more here.

2. Conti Shuts Down Last Public-Facing Infrastructure. According to BleepingComputer, the Conti ransomware operation shut down its last public-facing infrastructure, which was used to leak data and negotiate with victims of the gang. While the notorious ransomware gang appears to be gone, it is likely that its members continue to operate under the cover of other ransomware operations. Per BleepingComputer, "[s]ome of the ransomware gangs known to now include old Conti members include Hive, AvosLocker, BlackCat, Hello Kitty, and the recently revitalized, Quantum operation."

3. DOJ, FBI, and IRS Seize SSNDOB Marketplace Used to Sell Personal Information. On June 7, the Department of Justice announced the seizure of the SSNDOB Marketplace, a series of websites in operation for years used to sell personal information, including Social Security numbers. The international operation to seize this infrastructure resulted from close cooperation with law enforcement authorities in Cyprus and Latvia.

4. Lockbit Surpasses Conti as Most Active Ransomware Gang. LockBit replaced Conti as the most active ransomware gang in Q1 2022, with 225 victims, according to a KELA Cybercrime Intelligence report. Per KELA, "other prolific ransomware groups prolific ransomware groups of Q1 were LockBit, Conti, Alphv, Hive, and Karakurt (recently found to be a side operation of Conti), with more than 30 victims disclosed by each operation."

5. ALPHV/BlackCat Ransomware Group Turns Up the Heat to Get Victims to Pay. On June 14, KrebsonSecurity reported that ALPHC/BlackCat ransomware group began publishing individual victim websites on the public internet, with leaked data made available in an easily searchable forms, as another approach to shame its victims into paying and increase proactive negotiations.

RANDOM ONE-OFFS

1. Luring Cyber Talent to Federal Agencies. On June 21, President Joe Biden (D) signed the Federal Rotational Cyber Workforce Program Act of 2021 ( 1097) into law, creating a personnel rotation program for cybersecurity professionals working at federal agencies. The act seeks to attract and retain cybersecurity professional in government (rather than the private sector) by offering professional experiences at different federal agencies.

2. New York's First Chief Cyber Officer. On June 27, New York Governor Kathy Hochul (D) announced the appointment of Colin Ahern as the state's first-ever chief cyber officer. According to the press release, "Ahern will oversee all cyber threat assessment, mitigation, and response efforts — working with executive management at every state agency to manage cyber risks and prevent attacks." Ahern will also lead the recently announced Joint Security Operations Center, which oversees cybersecurity across the state.

FORGET ME NOT

Pertinent Events From May 2022

1. FTC De Facto Breach Disclosure Requirement? On May 20, the FTC provided guidance through its Tech@FTC blog on the importance of effective breach disclosures. While the post references a "de facto breach disclosure requirement" created by the FTC Act, the likely takeaway is that businesses need to be mindful when crafting messaging around cybersecurity and data breaches to avoid making deceptive statements, not necessarily reporting otherwise nonreportable incidents.

2. US Senator Releases New Report on Rise of Ransomware Attacks and How Cryptocurrencies Facilitate Cybercrime. On May 24, U.S. Senator Gary Peters (D-MI), chairman of the Senate Homeland Security and Governmental Affairs Committee, released a report, detailing the results of his investigation into the role of cryptocurrency in incentivizing and enabling ransomware attacks, as well as the resulting harm of such attacks to victims. The report found, in part, that the federal government lacks sufficient data and information on ransomware attacks and the use of cryptocurrency, and that lack of reliable and comprehensive data limits available tools to guard against national security threats. The report encourages CISA to complete the required rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, co-authored by Peters and signed into law earlier this year. The act mandates incident reporting of substantial cyberattacks and ransomware payments against critical infrastructure.

3. New Jersey One Step Closer to New Cyber Incident Reporting Requirement. On May 26, the New Jersey Senate passed Bill S297 (previously S4278) by a vote of 36-0. Currently referred to the state Assembly's Homeland Security and State Preparedness Committee, the bill would require public agencies and government contractors to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness within 72 hours of reasonable belief that a cybersecurity incident has occurred. An identical bill, A483 (previously A6178), was introduced on January 11; however, it remains in the Assembly's Homeland Security and State Preparedness Committee.

4. Vermont Enacts Insurance Data Security Law. On May 27, Vermont became the latest state to adopt data security legislation (515) based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (Model Law). Subject to certain exceptions, the new law applies to those licensed, authorized to operate, or registered under Vermont's insurance laws, and requires licensees to, among other things, maintain a comprehensive written information security program, provide cybersecurity awareness training, and conduct risk assessments. Unlike the Model Law, Vermont's law does not require licensees to notify state insurance regulatory officials of cybersecurity events, nor does it modify Vermont's general breach notification statute. The act takes effect on passage; however, Sections 10 and 11 take effect 90 days after enactment.