New Privacy Law Passed
For those that are still reading after the scintillating title “privacy law compliance,” Virginia officially passed the Consumer Data Protection Act (CDPA) on March 2nd when the Governor signed the bill into law. This new privacy law goes into effect on January 1, 2023, so mark your calendars.
For those already compliant with Europe’s GDPR or with California’s CCPA, there shouldn’t be too much concern about Virginia’s new CDPA. The core elements of the state laws are very similar. Nevertheless, there are nuances in the laws’ language and relevant companies should consult with their attorneys and IT compliance specialists (we can provide references!) to determine what action, if any, they need to take.
Are You Affected?
Your business is affected by CDPA if any of the following are true:
Your business stores or processes at least 100,000 personal records of Virginia residents.
Your business derives the majority of its gross revenue from the sale of personal records of at least 25,000 Virginia residents
There are, of course, exceptions. Local governments, such as cities or counties, and local school boards are exempt as well nonprofits, and institutions of higher education, among others. On the other hand, because of today’s connected world, if you perform any business on the Internet, it is very likely that some of your business originates from Virginia.
For a more complete analysis of the new law and its effects, see:
Or, for the brave of heart, see the full law:
The Virginia law is likely not the last privacy law that we will see. Whether the federal government ends up passing a privacy law or not, other states are likely to follow in California and Virginia’s path, with the most likely next candidates being Massachusetts, New York, and Washington.
Patch Your Exchange Servers
On March 5, Brian Krebs, an independent security researcher, reported that vulnerabilities in Microsoft’s exchange server that could affect as many as 30,000 organizations across the United States are being actively targeted and exploited by Chinese espionage units.
Microsoft released an emergency security patch for the affected software, which includes Microsoft Exchange Server 2013, 2016, and 2019. Microsoft reported that its Exchange Online service is not affected by the identified issues.
This issue is considered critical, as Chris Krebs, the former director of the Cybersecurity & Infrastructure Security Agency, reported that organizations with Internet facing OWA servers should assume a compromise until they prove otherwise. Microsoft has reported several indicators of compromise in their patch release and has also released a script for the port scanning tool nmap to detect vulnerable servers.
Flagstar bank disclosed a data breach after a ransomware gang compromised their Accellion file transfer server in January. The ransomware gang posted screenshots of stolen data from the breach, which included social security numbers for customers, names, addresses, phone numbers, and tax records.
The same ransomware gang also compromised the cybersecurity firm Qualys with the same vulnerability in an Accellion file transfer server.
Accellion reported four security vulnerabilities that were exploited in these data breaches. Accellion patched two of the issues on December 20, 2020 and the remaining two on January 25th, 2021.
The Takeaway: Patch. Patch. Patch. Companies are using more and more third-party software and tools in their business. This third party software adds risk to your environment, especially when it has access to critical data, hosts, and processes. Pay careful attention to vulnerability management and stay up to date on testing and applying patches.