The Nigerian prince seems almost quaint.

Gone are the days when the Nigerian prince was the only nefarious figure menacing our inboxes.  A simple yet elegant scheme – our supposed prince unexpectedly fell upon a large sum of money, left behind by a fallen war hero, bequeathed by a terminally-ill spouse, or, perhaps, borne from the fruits of new age oil exploration. The funds are (somehow) rightfully yours, but a bureaucratic quagmire has them tied up, and they cannot be released until you pay a *small* fee. Just send a few million dollars to a specified bank account, and the endless riches are yours.

Recent amendments to Pennsylvania’s data breach law -- the Breach of Personal Information Notification Act – will take effect May 3. The amendments were enacted in November.

Originally enacted in 2006, the Act provides for the security of computerized data and requires notification to Pennsylvania residents whose personal information data was, or may have been, disclosed due to a breach of the security of an entity’s system. 

The life cycle of a data security incident begins and ends with preparation.

Unfortunately, there is no such thing as a network or system with “zero vulnerabilities.” There are jokes about absolute network security, including that the only secure network is one without users or one with no access. There is no perfect code, no perfect software, no perfect hardware, and even the most well-intentioned user can be socially engineered. Consequently, preparation at all levels of information security is critical to protect businesses from catastrophic attacks.

Fight back against this major cyber threat.

Business Email Compromise is one of the greatest cyber threats to businesses of all sizes and industries, particularly those involved in regular wire transfers of funds. According to the Federal Bureau of Investigation, between June 2016 and December 2021, BEC scams were reported in all 50 states and 177 countries, with more than 140 countries receiving fraudulent transfers. These statistics are based on information reported to the FBI by victims, law enforcement, and the banking community. Actual and attempted dollar losses associated with these reports exceed $43 billion. Because these numbers are based only on compromises that have been reported, the true cost of BEC scams is in all likelihood much greater.

Proposed regulations have been submitted for review.

On February 3, the Board of the California Privacy Protection Agency held its latest public meeting, focused on the anticipated regulations interpreting the California Consumer Privacy Act, as now amended by the California Privacy Rights Act.

An updated version of the NIST Cybersecurity Framework is on the way.

In 2013, President Barack Obama directed the National Institute of Standards and Technology (“NIST”) to lead the development of a cybersecurity framework to “reduce cyber risks to critical infrastructure.” The result was the NIST Cybersecurity Framework (formally, the “Framework for Improving Critical Infrastructure Cybersecurity”), a comprehensive, flexible, and scalable approach that provides a structure that can be used by entities to create, guide, assess, or improve their cybersecurity programs. The first version, v1.0, of the CSF was released in February 2014. NIST subsequently released v1.1 of the CSF in April 2018 to clarify, refine, and enhance the framework. Since its release, the CSF has been widely adopted across a range of industries within the United States and internationally.

In Jones v. Google, LLC, a three-judge panel of the U.S. Court of Appeals for the Ninth Circuit held that a district court judge erred in finding that state privacy claims were preempted by the federal statutory framework referred to as the Children’s Online Privacy Protection Act, or “COPPA.” The district court had dismissed a class action brought by children based on allegations “that Google used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent…”

This year’s deadline for filing individual tax returns is April 18.

Malicious actors routinely target human resources professionals, certified public accountants, and individual employees with social engineering attacks during tax season in an effort to obtain copies of Internal Revenue Service Form W-2 (Wage and Tax Statement). Form W-2 contains the information that allows a malicious actor to file false tax returns and steal the refunds. Those who receive, process, or maintain copies of W-2s should be on the lookout for phishing emails and other types of social engineering attempts this tax season.

Welcome to the Constangy Cyber Advisor! Our 44-member cybersecurity and data privacy team is excited to announce we have joined the nationally renowned labor and employment law firm Constangy, Brooks, Smith & Prophete, LLP! As part of this move, the Constangy Cyber Team will regularly post blogs to the Constangy Cyber Advisor about significant data privacy and information security issues. Our blog posts will be informed by the thousands of data breaches we have managed, the dozens of new data breaches we manage each week, the robust compliance advisory services we provide to our clients, and the complex data privacy and security litigation on which we consult with our class action litigators.