Please find our seventh edition of the Cyber Capsule. As the year end approaches, there was a notable absence of prospective cyber-related regulation. Instead, this edition highlights the rising cost of ransomware, yet another reason to implement MFA, a recent FTC action, and an admonishment for FTC overaction. And with the CPRA taking effect on January 1, 2023 — a reminder that organizations can leverage CPRA-related data mapping for cybersecurity purposes.

KEEP YOUR EYES ON THESE

1. Crime Pays. On November 1, the Treasury's Financial Crimes Enforcement Network (FinCEN) released a report indicating that U.S. financial institutions spent nearly $1.2 billion in ransomware payouts in 2021, a jump from a reported $416 million in ransomware payouts in 2020. The report also notes that there were 1,489 reported incidents in 2021, compared to 487 in 2020 — a 200% increase — leading FinCEN to conclude that "ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses, and the public."

2. Stay in Your Lane. On November 4, three U.S. senators wrote to Federal Trade Commission (FTC) Chair Lina Khan, opposing the FTC's Advanced Notice of Proposed Rulemaking for the Trade Regulation Rule on Commercial Surveillance and Data Security. The senators argue not only that data privacy rulemaking is beyond the FTC's authority, but that it will only further add to the existing, complicated patchwork of legislation.

3. You'd Think They'd Learn After the Second Breach? Commercially Reasonable Security Measures. On October 31, the FTC announced that it was taking action against an education technology provider for its lax data security practices, which allegedly exposed the Social Security numbers, email addresses, and passwords of millions of its customers and employees. The FTC also alleged that the company failed to fix problems with its data security despite experiencing four security breaches since 2017. The FTC's proposed order requires the company to (1) bolster its data security, (2) limit the data the company collects and retains, (3) offer its users multifactor authentication to secure their accounts, and (4) allow users to access and delete their data.

POTPOURRI

1. The Center for Internet Security reported that 81% of K-12 schools have not properly implemented proper multifactor authentication (MFA) and 29% of K-12 schools do not have MFA at all.

2. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a Stakeholder-Specific Vulnerability Categorization, a decision-tree model guide for companies to use to prioritize vulnerability patching.

3. The National Security Agency (NSA), CISA, and Office of the Director of National Intelligence (ODNI) jointly released recommendations that software vendors can use to help secure the supply chain.

FORGET ME NOT

1. The California Privacy Rights Act (CPRA) will take effect January 1, 2023. The deadline for promulgating regulations as set out under the CPRA has long passed, which means businesses are eager to receive finalized rules. Given that it is already December, and in light of the Office of Administrative Law's 30-day review period, the soonest that companies will likely receive finalized regulations is at the end of January or February. Despite this, companies should continue to make good faith efforts to comply with the law, even in the absence of finalized regulations. For an overview of the most recent changes to the proposed regulations, see here.