You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue.  Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
Continue Reading Apache Log4j Security Vulnerability Is STILL a Problem – What is it, Who Does it Impact, and Should I do Anything About It?

In March, 2022, President Joe Biden signed the Strengthening American Cybersecurity Act (the “Act”) into law. While the Act consists of various regulations, the security incident reporting requirements for entities in critical infrastructure sectors are getting the most attention. Although the reporting requirements are focused mainly on entities in critical infrastructure, there is potential that entities in various industries could be subject to these requirements.
Continue Reading Strengthening American Cybersecurity Act of 2022

Considering the potential number of companies impacted by each of the following, we in Taft’s Privacy and Data Security Practice wanted to share this urgent post with more information to ensure your company is considering the related risks presented by these vulnerabilities in commonly used website tools and platforms.

  1. Log4j. The Department of Homeland Security and CISA reported the presence of this vulnerability being used to exploit websites and internet-connected devices of all kinds.
    More info here.
  2. WordPress.


Continue Reading Information Security Alert: Two Security Vulnerabilities with Widespread Reach

On October 8, 2021, President Biden signed the bipartisan K-12 Cybersecurity Act of 2021 (the “Act”) in response to K-12 educational institutions facing cyber-attacks across the United States. The types of cyber incidents targeting K-12 information systems include denial of service, phishing, ransomware and malware, and other unauthorized disclosures of personal information.

While the Act itself does not detail specific requirements for K-12 educational institutions, it seeks to address the increasing risk of cybersecurity incidents by authorizing the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study on the specific cybersecurity risks currently facing K-12 educational institutions. The director has 120 days from the enactment of the Act to complete the study. The director will then have an additional 60 days to issue recommendations that include cybersecurity guidelines to assist K-12 educational institutions in responding to the cybersecurity threats described in the director’s study. In conjunction with cybersecurity recommendations, CISA will be developing an online training toolkit to educate school officials about the recommendations and to help ease the implementation of the recommendations by providing strategies for officials to take such action.
Continue Reading K-12 Cybersecurity Act: Federal Government Seeks to Improve Security for America’s Educational Institutions

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements.
Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog.  The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.  

Continue Reading White House Memo Stresses Need For Vigilance in Defending Against Ransomware Attacks

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers.  While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors.  We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services (“NYDFS”), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.)  As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France.   Earlier this year,  in response to the increase in ransomware attacks, the NYDFS issued seven best practices (“Framework”) that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.

Continue Reading NYDFS Answers Age Old “To Pay the Ransom or Not Pay the Ransom” Question with Definitive DON’T

In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021, outlining new requirements for information technology providers that do business with the federal government. The purpose of the requirements are to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they
Continue Reading Strengthening U.S. Cyber Security – New Executive Order

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

Taft partners Scot Ganow and Phil Schenkenberg will be featured speakers for the “Cybersecurity for In-house Legal Counsel” Seminar on Oct. 26. The virtual seminar will help in-house counsel understand the legal constructs and terminology widely used within the cybersecurity space, and to provide practical ways they can be more responsive and efficient when cyber issues arise. Taft is a sponsor of the event.

Ganow will present “Legal Overview and Key Cyber Risks for Businesses,” which covers the laws, regulations,


Continue Reading Taft Partners Ganow and Schenkenberg to Speak at “Cybersecurity for In-House Legal Counsel” Seminar