As reported in the Hunton Nickel Report:

Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network. Continue Reading Attacks Targeting Oil and Gas Sector Renew Questions About Cybersecurity

The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government. Continue Reading DOJ Accuses Iranian Nationals of “Brazen Cyber Assault” on Universities and Government Agencies

On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised. Continue Reading Insider Trading Charges Brought Against CIO for Post-Breach Trading

On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction. Continue Reading Ninth Circuit Decision Bolsters FTC Authority over Internet Service Providers

On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules. Continue Reading FTC Announces Settlement for Venmo’s Alleged Violations of the GLBA’s Privacy and Safeguards Rules

On February 13, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it entered into a resolution agreement with the receiver appointed to liquidate the assets of Filefax, Inc. (“Filefax”) in order to settle potential violations of HIPAA. Filefax offered medical record storage, maintenance and delivery services for covered entities, and had gone out of business during the course of OCR’s investigation.  Continue Reading Unsecured PHI Leads to OCR Settlement with Closed Business

On February 1, 2018, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a settlement with dialysis clinic operator, Fresenius Medical Care (“Fresenius”). Fresenius will pay OCR $3.5 million to settle claims brought under Health Insurance Portability and Accountability Act rules, alleging that lax security practices led to five breaches of electronic protected health information. Continue Reading HHS Announces $3.5 Million Settlement with Fresenius Medical Care

Recently, the General Services Administration (“GSA”) announced its plan to upgrade its cybersecurity requirements in an effort to build upon the Department of Defense’s new cybersecurity requirements, DFAR Section 252.204-7012, that became effective on December 31, 2017. Continue Reading GSA to Upgrade Cybersecurity Requirements

On November 8, 2017, the United States District Court for the Northern District of California ordered German defendants in an ongoing patent suit, BrightEdge Technologies, Inc. v. Searchmetrics GmbH, to produce a particular database, despite the defendants’ claims that such production would violate German privacy laws. Continue Reading German Privacy Laws Intersect with Discovery in a Patent Case