First A Ransomware Attack, Now Sanctions? New OFAC Advisory Warns of Sanctions Risks for Facilitating Ransomware Payments

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory regarding potential sanctions risks related to facilitating ransomware payments, as covered in this post from Foley Hoag’s Security, Privacy, and the Law blog.

OFAC is the federal agency responsible for implementing and enforcing U.S. sanctions against individuals, entities, and foreign governments involved in terrorism,… More

Please Join Us – ACSC 10th Annual Conference

As founding counsel and a continuing member of the Advanced Cybersecurity Center, Foley Hoag is pleased to invite you to join us in these two programs, part of the ACSC’s 10th annual conference.

Is Paying Ransomware Grounds for OFAC Sanctions? OFAC Says “Maybe”….

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.  In particular, the alert targeted “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response….”  While this is an advisory and does not have the force of law,… More

HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 Million Individuals

With apologies to John Donne, ask not for whom the bells tolls, HIPAA business associates, it tolls for thee!  While it has been the law for some time that business associates could be held directly liable for breaches, enforcement actions against them have been few and far between.  But a sizable settlement announced on September 23, 2020 by the Office for Civil Rights at the U.S.… More

WATCH NOW: Data Breach Response: Discovery and Investigation

What are best practices for handling a data security incident? Every phase of a data security incident requires thoughtful and measured action – from discovery, to investigation, to post-investigation compliance. Even planning for an incident before it happens is important to lay the groundwork for the most effective response.

Foley Hoag partners Chris Hart and Veronica Jennings talk through best practices in responding to,… More

Massachusetts AG Creates “Data Privacy and Security Division”; What Enforcement Changes Will Follow?

Massachusetts Attorney General Maura Healey recently announced the creation of the Data Privacy and Security Division within her office, with the stated goal of “protect[ing] consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.”

The leadership of the Office of the Attorney General’s (OAG’s) privacy and security efforts will not change:  Sara Cable,… More

Privacy Shield: We’ve Lost the EU but We’ve Still Got Switzerland!

In the wake of the Schrems II decision invalidating the the EU-US Privacy Shield, the US Department of Commerce has decided it should make lemonade out of the Schrems lemons.  The Department recently issued a set of FAQs, which go on at length about how the Swiss-US Privacy Shield is still in place and the steps that businesses can take to participate:

The Swiss-U.S.… More

A “Time of Heightened Tensions”: Homeland Security and National Security Agency Issue Joint Cybersecurity Alert

On July 23, 2020, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), joined by the National Security Agency (NSA), issued a cybersecurity alert to operators of critical infrastructure.  This cybersecurity alert outlines a series of “immediate actions” companies should take to reduce the risk of operational interference resulting from cyberattack. Unlike the bulletin issued by the Department of Homeland Security in January of 2020,… More

FERC NOI Considers Expansion of Cybersecurity Rules to Distributed Generation

On Wednesday, June 24, 2020, the Federal Energy Regulatory Commission (FERC or “the Commission”) published a Notice of Inquiry (NOI) in the Federal Register soliciting comments on Federal Energy Regulatory Commissionpotential enhancements to the Critical Infrastructure Protection (CIP) Reliability Standards[1] that currently exist to help our energy infrastructure protect itself from attack. (Initial Comments are due by August 24, 2020, and Reply Comments are due by September 22,… More