Friday Five 6/18
New data privacy acts, the G7 on ransomware, and how cybersecurity factors into M&As - catch up on all of the week's infosec news with the Friday Five!
1. G7 leaders ask Russia to hunt down ransomware gangs within its borders by Sergiu Gatlan
The leaders at the G7 this week urged Russia to actively disrupt ransomware groups operating within its borders. This follows the near constant attacks on critical infrastructure worldwide over the last few months. For the first time, the G7 member states: the UK, US, Canada, Japan, Germany, France, and Italy committed to working together to combat the ransomware crisis. The statement from the collective G7 was intended to increase pressure on Putin before his June 16 summit with Biden in Geneva, in which the issue of ransomware is one of many on the agenda. At that summit, President Biden asked Putin about the ransomware attack against Colonial Pipeline earlier this year - specifically he asked how he'd feel if a ransomware attack hit Russia's oil network - before vowing to take action against any Russian cyberattacks.
2. Pandemic prompts digital 'boom' in account creation - as well as password fatigue by Charlie Osborne
As the COVID-19 pandemic has forced more users online for services ranging from groceries to entertainment, new research has found that creating so many new accounts has weakened our security posture. Perhaps the most concerning statistic from the study found that 82% of participants admitted to reusing the same passwords and credentials when creating new accounts. This is not surprising when you consider another statistic from the study: Individuals signed up for 15 new online accounts a day at the peak of the pandemic. Another concern stems from the fact that 44% of users plan to not deactivate these new accounts, something that could greatly increase the number of vectors from which cybercriminals can attack. The story is a good reminder that if you’re going to create a new account, consider password managers and two-factor authentication (2FA) to keep your account secure.
3. Colorado Passes State Privacy Act, Poised to Become Law by Chris Brook
Following the lead of California and Virginia, Colorado is poised to enact the latest cross-industry privacy rights law. The legislation is expected to be signed by the Governor and would go into effect in July 2023. The law would allow users to have more control over their data by being able to opt out of their personal data being processed and granting the ability to demand that business delete their data. However, the legislation does not include a private right of action, which would allow users to sue a company if it loses their data in a hack or breach. The Colorado law is the latest in what is expected to be a flood of privacy legislation at the state level as the U.S. still lacks a comprehensive data privacy law.
4. European Privacy Ruling Could Mean More Scrutiny of Companies by Catherine Stupp
The top court in the European Union is set to weigh in on whether a privacy regulator can sanction a company if the company’s headquarters is in another country. The case in question deals with whether the Belgian data protection authority can take Facebook to court even though the tech company’s headquarters are in Ireland. The current system is not efficient as a disproportionate number of large multinational corporations are based out of Ireland for tax reasons and it’s difficult for Ireland to keep up with the cases sent by other nations in the EU. On the other hand, companies are concerned about the change as it may mean conflicting decisions from the regulators in different countries which would make it difficult to create policies for business. Whichever way the court rules, it will be a big decision for privacy regulation in the EU.
5. Cyberattacks, Privacy Legislation Shape M&A Dealmaking Process by Jake Holland
This interesting article looks at how privacy and cybersecurity have been incorporated into the decision-making process around mergers and acquisitions. This consideration stems from the number of high-profile cyberattacks recently and the increase of regulations from new data privacy laws. As a result, in considering an acquisition, companies now closely review the security records and compliance programs of a company before making a deal. For example, in Europe, acquiring a company with lax security that risks a potential breach could result in fines of up to 20 million euros or 4% of the company’s worldwide annual revenue if a breach occurs. A major positive aspect of the new approach to security is that it’s forcing companies to reevaluate their own security policy before a potential merger as cybersecurity considerations in M&A are here to stay.