Cyber Capsule - September 2022

Sadia Mirza, Kamran Salour
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

Welcome to our latest edition of the Cyber Capsule. September followed trends we have seen the last few months, with legislation directed at funding to support state and local governments in their quest to stop cyberattacks; programs encouraging information sharing to help companies, particularly those in health care to better position themselves against cyberthreats; and of course, the latest sagas from the threat actor world.

As the World Turns

  1. Not in My Backyard. On September 7, the Albanian government expelled Iranian diplomats from Albania. Why? Because Albania possessed indisputable evidence that the Iranian government orchestrated a July ransomware attack that shut down certain Albanian government websites to delete and steal government data. The Biden administration said it supports Albania in this move.

Everybody Needs a Helping Hand

  1. Help! On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a press release, announcing plans to develop and publish a notice of proposed rulemaking and comment for proposed regulations for cyber incident and ransom payment reporting. CISA is interested in learning how members of the public define industry terms, such as "covered entity" and "covered cyber incident"; how, what, and within what timeframe covered entities should report cyber incidents; and what additional policies and procedures to enforce regulatory requirements might be needed. The public has 60 days to provide written submissions. Detailed information about the RFI is available on CISA's website.

  2. Funding the Fight. On September 16, the U.S. Department of Homeland Security (DHS) launched a grant program, allocating $1 billion in funding over the next four years to support state and local governments in their effort to address cyber risks to their information systems and critical infrastructure. DHS will provide two funding opportunities: (1) the September 2022-announced funding opportunity for state, local, and territorial governments, which includes making local governments eligible sub-recipients through their respective states and territories; and (2) a separate tribal grant program to be released later this fall.

SHARING IS CARING

  1. Agency Notification No More. On September 23, California Governor Gavin Newson vetoed AB1711. If enacted, this bill would have required persons or businesses that experienced a privacy breach to post breach-related information on the agency's website for 30 days.

  2. Health Care Sector Needs a Security Checkup. On September 13, Representatives Jason Crow (D-CO) and Brian Fitzpatrick (R-PA) introduced HR8806, the Healthcare Cybersecurity Act. The bill seeks to reduce the number of cyberattacks on hospitals and health care entities by directing CISA to work with the Department of Health and Human Services (HHS), as well as collaborate with HHS to improve cybersecurity in that sector. In addition, CISA must provide training on cybersecurity risks and mitigation strategies to asset owners in the health care and public health sector. CISA must also conduct a study on cybersecurity risks in the health care and public health sector, which must address, among other topics, the impact of the risks on rural entities and small- and medium-sized entities, cybersecurity workforce shortages in the sector, and challenges related to the COVID-19 emergency.

  3. I'm Telling! California School Districts Must Report Certain Cyberattacks. On September 27, California Governor Gavin Newson signed AB2355, which requires California school districts to report to the California Cybersecurity Integration Center (Cal-CSIC) any cyberattacks that affect more than 500 students. The bill intends to compile and analyze data about cyberattacks, so schools can better understand them. Per the bill, these provisions would be repealed on January 1, 2027.

FORGET ME NOT

  1. Piecing It All Together. On September 6, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) published Cyber-Related Sanctions Regulations, 31 C.F.R. Part 578. The regulations do not change any prior OFAC guidance, but simply reissues the regulations posted on December 31, 2015. Because parsing through the regulations can be tedious, we went ahead and did it for you. Click here for a summary of key points to consider before making your next ransom payment.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide