FBI Seizes Hive Ransomware Servers—Blocks US$130 Million in Demanded Ransoms

On January 26, Attorney General Merrick Garland announced that the Department of Justice dismantled the “Hive” ransomware group, which had targeted more than 1,500 victims worldwide since June 2021. Between June 2021 and June 2022, Hive extorted over US$100 million in ransom payments, targeting hospital systems, school districts, food service companies, and other organizations.

Attorney General Garland explained the FBI infiltrated the Hive network in the summer of 2022 and began disrupting Hive’s attempts to extort victims—primarily by providing decryption keys to Hive’s victims. Since July 2022, the FBI and DOJ have assisted more than 300 victims, thwarting Hive’s efforts to collect approximately US$130 million in ransom payments. The FBI was assisted by U.S. and international law enforcement partners.

In July 2021, the Biden Administration launched the Ransomware and Digital Extortion Task Force, combining assets from DOJ and the U.S. Department of Homeland Security. The U.S. Department of the Treasury has estimated ransomware attacks cost U.S.-based organizations US$886 million in 2021. The DOJ’s dismantling of the Hive group is the latest example of federal law enforcement’s commitment to cybersecurity and data privacy.

Takeaway: This was a welcome victory for law enforcement vis-à-vis the organized crime syndicates that sponsor ransomware or carry out attacks via ransomware as a service. With a renewed vigor from the federal government post-Colonial Pipeline and post-Ukraine invasion, we hope and expect that law enforcement will continue to expend significant effort to disrupt these syndicates in 2023. In the interim, companies should continue to focus on prophylactic measures such as phishing training, multi-factor authentication, incident response planning, the deployment of EDR tools and good cybersecurity policies and hygiene, among other things. Read our additional resources on how to protect yourself from ransomware attacks in the Harvard Business Review HERE and HERE.

New Cybersecurity Laws Come into Force in the EU

The EU has updated its cybersecurity laws to set minimum standards for cybersecurity across the bloc, and to strengthen the resilience of entities which service the EU’s critical infrastructure.

The Directive on measures for a high common level of cybersecurity across the Union (“NIS 2”) is an update to NIS 1 and extends the range of service providers subject to cybersecurity requirements, which are somewhat general in nature. NIS 2 sets out reporting obligations and minimum standards of risk-management measures for qualifying entities who operate in key sectors including energy, banking and finance, health, digital infrastructure and space. Whether entities fall within the scope of NIS 2 will depend on their size and the nature of the services they provide.

“Essential” and “important” entities must register with their competent authority and report any incidents which have a “significant impact” on the provision of their services within 24 hours. They will also have to take appropriate measures to manage their cyber risks such as implementing cybersecurity policies, cyber hygiene practices, and training. EU Supervisory Authorities (“SAs”) will be given new enforcement powers including the power to issue fines of up to €10 million or 2% of the entity’s total worldwide annual turnover in appropriate cases. Crucially, there are also direct obligations on senior management who can be found personally liable for infringements (which could result in fines and/or a ban from managerial functions).

The Directive on the resilience of critical entities (“CER”) imposes obligations on “critical” entities operating in key sectors to enhance their resilience and safeguard services which are integral to the functioning of the EU market. Critical entities will be required to (i) conduct risk assessments identifying risks which could disrupt the provision of their essential services; (ii) create and implement resilience plans; and (iii) report all incidents which significantly disrupt, or have the potential to significantly disrupt, the provision of critical services. SAs will be given new enforcement powers, including the power to conduct on-site inspections, procure audits and require the provision of information. Member states will need to adopt national mechanisms for performing risk assessments and create criteria for their assessments. Entities of particular European significance (i.e., those that provide essential services to 6 or more EU member states), will be subject to specific oversight from the European Commission, which is likely to drive EU wide standards of compliance.

As directives, these laws are not directly applicable and instead must be transposed into national law by EU member states by October 17, 2024.

Takeaway: Like the US, the EU regulators are creating more robust policies and requirements for “critical infrastructure” entities. Businesses should carefully review the directives to determine whether they are in scope and look out for further guidance on the registration process under NIS 2 and the relevant national law implementations. In-scope businesses should also start assessing their cyber risks, and start planning to implement any necessary new measures to comply with their new obligations when they come into legal force in 2024.

EDPB Adopts Cookie Banner Taskforce Report

In September 2021, the European Data Protection Board (“EDPB”) established a Cookie Banner Taskforce (the “Taskforce”) to align the handling of various complaints received from NOYB (the Max Schrems-fronted privacy activism organization). On January 17, 2023, the EDPB adopted a report (the “Report”) on the work of the Taskforce, which sets out the Board’s position on the interpretation and application of EU privacy law to cookie banners.

The Taskforce concluded that certain practices, including banners which present an “accept all” option without presenting an option to “decline all” on the same layer, and pre-checked boxes which require the user to un-check the box to opt out, risk breaching EU privacy law. The Taskforce also agreed that cookie banners should not be designed to give users the impression that they must consent in order to access the website, and that practices such as, for example, burying the decline option in text or outside the cookie banner, with insufficient visual support to draw the user’s attention to the option to decline, would render a consent invalid. It also agreed that some designs which used contrast and color (i.e., so-called “dark patterns”) to promote the “accept” button over the “decline” button might be misleading and highlighted the importance of assessing complaints which relate to design features on a case-by-case basis. The Taskforce also highlighted that website operators should provide easily accessible routes for users to withdraw their consent at any time, such as hovering and permanently visible icons.

The Report stresses that the positions it sets out reflect common minimum thresholds to be considered alongside national laws.

Takeaway: This non-binding, but highly influential, report offers useful guidance on best practices in cookie banner design, including opinions as to what practices might fall afoul of EU privacy law. Website operators should review the recommendations and, where necessary and appropriate, consider making changes to follow these recommendations. In addition to the EU, the FTC also has taken up the charge against so-called “dark patterns.” You can read more about the FTC’s thinking on “dark patterns” in issue 21 of Cyber Bits.

President Biden Urges Congress to Pass Bipartisan Legislation Holding Big Tech Accountable

On January 11, 2023, the Wall Street Journal published an Op-Ed by President Biden calling on Congress “to pass strong bipartisan legislation to hold Big Tech accountable.” The President appealed to Democrats and Republicans with three broad principles for reform.

First, President Biden stressed the need for federal privacy protections with clear limits on how companies can collect, use and share personal data, including stricter protections on data collected from children. He also called for banning targeted advertising to children.

Second, the President called for amending Section 230 of the Communications Decency Act, which protects social media companies from legal responsibility for content posted by third parties on their platforms. President Biden also called for more transparency around the algorithms these companies use to match the information users see with their preferences.

Third, the President again called for more competition in the tech sector, building off his July 2021 Executive Order on Promoting Competition in the American Economy, and arguing that the “next generation of great American companies shouldn’t be smothered by the dominant incumbents.”

Takeaway: Regardless of whether Congress acts to regulate tech companies in response to pressure it is getting from the Biden Administration, we expect to see the Administration continue to use the executive function and agency regulatory authority to attempt to restrict the industry in the name of protecting Americans’ privacy, particularly that of children. Additionally, in this environment we expect enforcement in the privacy arena in this Administration to continue to be robust. To those unfamiliar with the US privacy landscape, the gridlock might seem surprising and the reasons for the impasse are complex. But, part of the log jam is that of some California’s Congressional delegation object to a national privacy standard that would overrule much of California’s influential privacy law. Also, disagreements persist among policymakers and commentators on how and how much to regulate the tech sector generally, with disputes surrounding issues of commercial growth and privacy concerns often contributing more heat than light. The Biden Administration has its own views about these issues, but there is no consensus on them and the prospects of momentum are unlikely.

US States Charge Ahead with Privacy Law Proposals

In the absence of comprehensive federal privacy legislation, an increasing number of U.S. states are forging ahead and working on enacting their own privacy laws. Five states currently have their own privacy laws on the books: California, Colorado, Connecticut, Virginia and Utah. Recent state-level legislative activity suggests that others may soon follow. The International Association of Privacy Professionals (“IAPP”) reports that 60 comprehensive consumer privacy bills were considered across 29 states in 2022, and that the first month of 2023 saw more than ten states considering state privacy legislation.

A multitude of state privacy laws in place of comprehensive federal privacy legislation complicates compliance for companies, forcing them to navigate differing standards. Differences in mandatory privacy policy disclosures, the terms that need to be in contracts before personal information can be shared with vendors, and consent requirements for the processing of sensitive personal information are only some of the issues companies currently need to address on a state-by-state basis.

Navigating overlapping compliance regimes also can be expensive. In fact, the Information Technology and Innovation Foundation, a nonprofit research institution, published a 2022 study concluding that if all fifty U.S. states enacted separate data privacy laws, it could cost businesses US$1 trillion over ten years.

Takeaway: The old adage “power abhors a vacuum” is at work here. In the absence of a federal privacy law, for which we’ve been waiting for the better part of two decades, the states are stepping in. Given the gusto with which state legislatures are taking up privacy legislation, we would say that companies looking to avoid spending their finite resources on complying with a dizzying number of state-specific laws may want to consider pushing for a federal law. Both from a consumer protection perspective and from the need to create a simple pro-business system, the logic for harmonization is inescapable. Given the dysfunction in Congress, however, we don’t see that happening any time soon. In the interim, the practical approach is to implement policies that comply with those states having the strictest standards.

California Attorney General Announces CCPA Investigative Sweep

On January 27, 2023, California Attorney General Rob Bonta (“California AG”) announced that his office had initiated an investigative sweep, sending letters to mobile app providers that allegedly failed to comply with the California Consumer Privacy Act (“CCPA”). The sweep focuses on businesses’ alleged failures to (i) offer a mechanism for California consumers to opt out of the “sale” of their personal information and (ii) comply with consumer opt-out requests.

The sweep will also focus on businesses’ alleged failure to comply with requests submitted by authorized agents, with the California AG specifically calling out requests submitted via “Permission Slip”. Permission Slip is a mobile app developed by Consumer Reports that is designed to enable California consumers to send CCPA rights requests to businesses. The California AG stated that the sweep will focus on mobile app providers in the retail, travel and food service industries.

Importantly, in a statement accompanying the announcement of the investigative sweep, the California AG once again focused on compliance with user-enabled global privacy controls as valid requests to opt-out of “sales” of personal information. The California AG has addressed this requirement multiple times before, including in the AG’s sole public CCPA settlement.

Takeaway: Businesses that have not implemented a tool and process to enable California consumers to opt-out of sales of personal information and monitor for Global Privacy Control Signals need to prioritize doing so. Similarly, businesses need to ensure they have a process in place to verify and comply with authorized agent requests.