Welcome to the sixth edition of the Cyber Capsule. This edition focuses on protecting judges’ personal information; an uptick in phishing; a regulatory decision and a judicial opinion, each of which may impact how companies respond to data security incidents; and a cybersecurity labeling system.

KEEP YOUR EYES ON THESE

1. Judge's Personal Information Under Seal?: On October 11, the Judicial Security and Privacy Act (Act) was added to the National Defense Authorization Act. The proposed Act would: (1) shield federal judges' online information; (2) make it illegal for data brokers to knowingly buy or sell judges' personal information; (3) bar government agencies and private businesses from publicly posting that information online; and (4) establish a grant program to allow state and local government agencies to expand programs to redact or remove judges' information from public databases. The proposed Act defines personal information broadly to include home addresses, telephone numbers, personal email addresses, Social Security and driver's license numbers, bank and credit card information, license plate numbers, and the names and addresses of schools or businesses where judges' immediate families attend or work.

2. Label Me Cyber Friendly: On October 12, the Biden administration announced plans to proceed with a labeling system to inform consumers about the security level of their internet-connected devices. Still in its infancy, four principles will guide the labeling system: (1) designing devices with security in mind; (2) incorporating authentication and authorization measures; (3) encrypting data at rest and in transit; and (4) implementing regular software updates and security patches. The Cyberspace Solarium Commission, a bipartisan and congressionally mandated body that makes recommendations on how the U.S. can improve its cybersecurity, has called for the creation of an agency to make these evaluations. Expected to launch in 2023, the new labeling system will start with some of the most common, at-risk technologies — routers and home cameras — to "deliver the most impact, most quickly."

3. All Aboard — Next Stop, Cyberville: On October 18, the Transportation Security Administration (TSA) released new cybersecurity requirements for passenger and freight railroad carriers. The directive requires railroad operators to create response plans to cybersecurity episodes and to implement monitoring and detection policies. According to the directive, covered carriers must submit plans to TSA for approval by February 2023 on how they will comply with the new rules, and then file annual compliance assessments with the agency.

4. Don't Bank on It. Based on a recent report involving online payment platform scams, it appears that banks have not been helpful in reversing unauthorized transactions. Generally, when a consumer has his/her online bank account taken over, banks are legally obligated to reverse any unauthorized transactions if the transaction is reported in a timely manner. The report is based on data from three large banks. These banks reported 35,848 cases of scams involving over $25.9 million in payments in 2021 and the first half of 2022. These three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.

5. NYDFS Sees Error in Medical Financial Services Company's Ways: On October 18, New York's Department of Financial Services (DFS) entered into a consent decree, ordering a medical financial services company to pay $4.5 million to end a probe into whether it breached state cybersecurity rules before a 2020 phishing attack that exposed hundreds of thousands of consumers' personal data. The company violated DFS' Cybersecurity Regulation for failing to: (1) use multifactor authentication across its email environment; (2) sufficiently limit internal access to the breached email mailbox; (3) separate login credentials; and (4) timely dispose of the data.

AS THE WORLD TURNS

1. Like Shooting Fish in a Barrel: INKY found that COVID-19 phishing messages doubled in September 2022 as compared to the previous three months, according to a BleepingComputer.com article. Threat actors are using U.S. Small Business Administration (SBA) and Google Forms to host phishing pages that steal the personal details of business owners.

2. Do Not Accept Delivery: A Check Point study revealed that DHL is the most spoofed brand in phishing emails, accounting for 22% of all worldwide phishing attempts between July and September 2022. Microsoft came in second for Q3, with 16% of worldwide phishing scams, followed by LinkedIn in third, with 11% of worldwide phishing. Pour one out for LinkedIn; it held the first-place position in Q1 and Q2 before being toppled by the international shipping company.

3. You Can't Make This Up: According to Sophos, companies in manufacturing and production that suffer ransomware attacks make ransom payments of over $2 million, on average. This is more than double the average payment of $800,000, according to the cybersecurity solutions company.

FORGET ME NOT

1. I'm Still Standing: The Third Circuit recently clarified the requisite "injury-in-fact" that could give rise to Article III standing to bring claims from a data breach. It held that a plaintiff has standing to sue if there is a "substantial risk" of imminent harm after a data breach had been posted on the dark web. See Clemens v. ExecuPharm, Inc. et al., No. 21-1506, 2022 WL 4005322 (3d Cir. Sept. 2, 2022).