CISA Issues a Fact-Sheet: Protecting Personal Information from Ransomware-Caused Data Breach

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently released a fact sheet to assist government and private sector organizations with protecting sensitive and personal information from a ransomware-caused data breach.

Summary

“All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems...CISA encourages organizations to adopt a heightened state of awareness and implement the recommendations below.” (3)

  • Preventing Ransomware Attacks

    • Maintain offline, encrypted backups of data and regularly test your backups.

    • Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan.

    • Mitigate internet-facing vulnerabilities and misconfigurations.

    • Reduce the risk of phishing emails.

    • Practice good cyber hygiene.

  • Protecting Sensitive and Personal Information

    • Know what personal and sensitive information is stored on your systems and who has access to it.

    • Implement physical security best practices.

    • Implement cybersecurity best practices.

    • Ensure your cyber incident response and communications plans include response and notification procedures for data breach incidents.

  • Responding to Ransomware-Caused Data Breaches

    • Secure network operations and stop additional data loss.

    • If no initial mitigation actions appear possible, take a system image and memory capture of a sample of affected devices.

    • Follow notification requirements as outlined in your cyber incident response plan.

More details are provided in the CISA fact-sheet(3). For additional information and guidance beyond the CISA fact-sheet, refer to the Federal Trade Commission (FTC) web page titled “Data Breach Response: A Guide for Business”(4).

References

  1. CISA: “Home Page

  2. CISA: “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breach” - Web Page

  3. CISA: “Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches” - Fact Sheet (pdf)

  4. FTC: “Data Breach Response: A Guide for Business” - Web Page

New EU-wide whistle-blower rules approved

On April 16, the European Parliament voted(1) in favor of adopting new European Union (“EU”) wide standards to protect whistle-blowers. The standards are designed to protect whistle-blowers that reveal breaches of EU law in areas of public procurement, financial services and tax, money laundering, product and transport safety, protection of the environment, food and feed safety, animal health and welfare, nuclear safety, public health, security of network and information systems, competition, consumer and data protection, fraud, corruption and any other illegal activity affecting the use of Union expenditures.

The new rules allow whistle-blowers to disclose information either internally to the responsible legal entity, or national authorities, as well as any relevant EU institutions, bodies, offices, and agencies. The law prohibits reprisals and includes safeguards preventing the whistle-blower from being suspended, demoted or from facing other types of retaliation.

Recent scandals such as LuxLeaks, Panama Papers and Football leaks have helped to shine a light on the great precariousness that whistle-blowers suffer today. On the eve of European elections, Parliament has come together to send a strong signal that it has heard the concerns of its citizens, and pushed for robust rules guaranteeing their safety and that of those persons who choose to speak out.” - Virginie Roziere (S&D, FR)

Some Adopted Text

Persons who work for a public or private organisation or are in contact with it in the context of their work-related activities are often the first to know about threats or harm to the public interest which arise in this context. By ‘blowing the whistle’ they play a key role in exposing and preventing breaches of the law that are harmful to the public interest and in safeguarding the welfare of society. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. In this context, the importance of providing balanced and effective whistleblower protection is increasingly acknowledged both at European and international level.”(2)

To enjoy protection, the reporting persons should reasonably believe, in light of the circumstances and the information available to them at the time of the reporting, that the matters reported by them are true. This is an essential safeguard against malicious and frivolous or abusive reports, ensuring that those who, at the time of the reporting, deliberately and knowingly reported wrong or misleading information do not enjoy protection. At the same time, it ensures that protection is not lost where the reporting person made an inaccurate report in honest error. In a similar vein, reporting persons should be entitled to protection under this Directive if they have reasonable grounds to believe that the information reported falls within its scope. The motives of the reporting person in making the report should be irrelevant as to whether or not they should receive protection.”(2)

Next Steps

EU ministers now need to approve the law. Once approved, member states will have two years to come into compliance with the law.

GCSG Advisory Professionals will be keeping up with the progress of this legislation. Contact us to learn more.

References

Weekly Compliance News - Around the World

GCSG's Weekly Compliance News feature is a compilation of some of the previous weeks interesting trade compliance, anti-bribery/corruption, fraud, and due diligence news bites, from around the world.

EU and Japan to Recognize the Other’s Persona Data Protection System | JDSupra - K&L Gates LLP

"On 17 July 2018, the EU and Japan reached an agreement to recognize each other’s data protections systems as “equivalent”, and each commits to complete internal procedures by fall 2018 (the “Data Agreement”). Once adopted, this will allow businesses to transfer personal data from the European Economic Area to Japan and vice versa without being required to provide further additional safeguards for each transfer." (Click here for the article) - EU, Japan

Chinese Intelligence Officer Charged with Economic Espionage | US DOJ

"A Chinese Ministry of State Security (MSS) operative, Yanjun Xu, aka Qu Hui, aka Zhang Hui, has been arrested and charged with conspiring and attempting to commit economic espionage and steal trade secrets from multiple U.S. aviation and aerospace companies.  Xu was extradited to the United States yesterday." (Click here for the article) - USA, China

Cyber Tests Showed ‘Nearly All’ New Pentagon Weapons Vulnerable to Attack | NPR

"Passwords that took seconds to guess, or were never changed from their factory settings. Cyber vulnerabilities that were known, but never fixed. Those are two common problems plaguing some of the Department of Defense's newest weapons systems, according to the Government Accountability Office." (Click here for the article) - USA, China

Security firm uncovers new cyber group targeting government and military sectors | The Hill

"A new cyber group appears to have been targeting government and military organizations this past year as part of an espionage campaign, a security firm said on Wednesday." (Click here for the article) - Eastern Europe, Middle East

Oil Industry snubs EU effort to defy US sanctions on Iran | Financial Times

"Big European oil companies are spurning the EU’s attempt to shield Iranian crude from US sanctions because of fears the effort would leave businesses exposed to harsh penalties from the Trump administration." (Click here for the article) - Europe, Iran, USA

Mitigating Compliance Pitfalls in Manufacturing | Manufacturing.net

"The U.S. Department of Justice and the Securities and Exchange Commission have stepped up efforts recently to enforce the Foreign Corrupt Practices Act (FCPA). For manufacturers, this involves regulations surrounding exports and international conduct, including those related to U.S. economic sanctions and export control laws." (Click here for the article) - USA

French ports planning for ‘No-Deal’ Brexit | freightweek

"Norlink Ports, an association of 25 ports and inland gateways in the northern Hauts-de-France region, is planning measures to reduce the commercial impact of Britain leaving the European Union without a trade agreement." (Click here for the article) - UK, France, EU

Three Audit Employees Investigated in Probe of Vehicle Certifications | WSJ

"German prosecutors have launched an investigation into three employees of Volkswagen AG’s luxury car unit Audi suspected of falsifying documents to obtain roadworthiness certifications needed for vehicles to be exported to South Korea…" (Click here for the article) - Germany, South Korea

Countries Face Rising Exposure to Money Laundering | WSJ

"More countries are showing heightened risks of exposure to money laundering, according to an annual ranking of countries assessing their money-laundering risk." (Click here for the article) - Global

Weekly Compliance News - Around the World

GCSG's Weekly Compliance News feature is a compilation of some of the previous weeks interesting trade compliance, anti-bribery/corruption, fraud, and due diligence news bites, from around the world.

Europe, Russia and China join forces with a new mechanism to dodge Iran sanctions | CNBC

"In the latest sign of the growing divide between Washington and its allies, the European Union's foreign policy chief announced Monday that the bloc was creating a new payment mechanism to allow countries to transact with Iran while avoiding U.S. sanctions." (Click here for the article) - USA, Russia, China, European Union

China says US trying to force it to submit on trade as new tariffs kick in | Reuters

"The United States and China imposed fresh tariffs on each other’s goods on Monday as the world’s biggest economies showed no signs of backing down from an increasingly bitter trade dispute that is expected to hit global economic growth." (Click here for the article) - USA, China

Novartis links bonuses to ethics in bid to rebuild reputation | GAN Integrity Inc.

"Swiss drug maker Novartis has revealed its employees only get a bonus if they meet or exceed expectations for ethical behavior as it seeks to address past shortcomings that have damaged its reputation." (Click here for the article) - Switzerland, USA, South Korea, China

Japan mulls bilateral trade deal with U.S. | Reuters

"Japan is mulling a bilateral trade agreement with the United States that would lower tariffs on U.S. agriculture imports in exchange for avoiding higher tariffs on Japanese autos, the Nikkei newspaper said on Saturday." (Click here for the article) - Japan, USA

Potential NAFTA collapse poses major risk to Canada | Financial Post

"Canada’s economic growth could be pared by about a quarter next year if the North American Free Trade Agreement collapses, and the drag will be extended if an automobile trade war emerges, according to a new Conference Board forecast." (Click here for the article) - Canada, USA

British inquiry intensifies Danske Bank money laundering scandal | Reuters

"Danske Bank’s money laundering scandal spread on Friday to Britain where the National Crime Agency said it is investigating the use of UK-registered companies." (Click here for the article) - Finland, Denmark, Estonia, Russia, UK

BASF commits to complying with US sanctions on Iran | Politico

"German chemical giant BASF has made a firm commitment to comply with all U.S. sanctions against Iran, becoming the latest in a string of large European companies to back away from ambitious plans to invest in the Islamic Republic following Washington’s withdrawal from the Iran nuclear deal." (Click here for the article) - Germany, Iran, USA

US Sanctions Russia and China-based IT companies for connections to DPRK | WorldECR

"The US Department of the Treasury’s Office of Foreign Assets Control (‘OFAC’) has sanctioned a Chinese IT company, its Russian counterpart and its North Korean CEO, targeting revenue repatriated to North Korea (‘DPRK’) through overseas IT workers." (Click here for the article) - Russia, China, North Korea, USA

Saturday Compliance News - Around the World

GCSG's Weekly Compliance News feature is a compilation of some of the previous weeks interesting trade compliance, anti-bribery/corruption, fraud, and due diligence news bites, from around the world.

Are CEOs Less Ethical Than in the Past? | Strategy + Business

"The job of a CEO at a large publicly held company may seem to be quite comfortable - high pay, excellent benefits, elevated social status, and access to private jets.  But the comfortable perch is increasingly becoming a hot seat, especially when CEOs and their employees cross red lines." (Click here for the article) - Global

What if BREXIT Happened Without an Exit Deal? | Stratfor

"Negotiators for the UK and the EU are racing the clock to reach agreements on a long list of remaining issues before the UK formally leaves the bloc..." (Click here for the article) - UK, European Union

Texas jury indicts Arkema, two executives over chemical releases | Reuters

"A Texas grand jury on Friday indicted chemicals manufacturer Arkema North America and two of its executives for releasing emissions that allegedly endangered the public after a 2017 hurricane." (Click here for the article) - USA

OFAC Sanctions Russian Bank for Moving North Korean Cash | RegTech Post

"The Office of Foreign Assets Control has named Russia's Commercial Bank Agrosoyuz as a Specially Designated National, for moving funds for a DPRK bank, and for two front companies acting for the North Korean Government." (Click here for the article) - Russia, North KoreaUSA

US elevates India to most-important allies list  | The Economic Times

"In a big boost to India, the US has eased the export restrictions for high-technology product sales to India by designating it as a Strategic Trade Authorization-1 country, the only South Asian nation to be on the 36 countries list." (Click here for the article) - IndiaUSA

EU Privacy Becomes Excuse to Withhold in US Bribery Probes | Bloomberg Law

"Companies are improperly using the European Union's fairly new privacy standards as the scapegoat for why they can't disclose documents to the US government during foreign bribery investigations..." (Click here for the article) - European Union, USA

CNPC refutes subsidiary's role in 1MDB money-laundering scandal | South China Morning Post

"China Petroleum Pipeline Engineering, a unit of China's state-owned oil and gas giant China National Petroleum Corp, had refuted a media report that money paid for its pipeline projects in Malaysia was diverted to third-party Cayman Islands companies involved in money laundering." (Click here for the article) - China, Malaysia, Cayman Islands, UAE

Tuesday Compliance News - Around the World

GCSG's Tuesday Compliance News is a compilation of some of the previous weeks interesting trade compliance, anti-bribery/corruption, fraud, and due diligence news bites, from around the world.

European firms are increasingly tackling the scourge of bribery | The Economist

"Governments in Europe are catching up with America in pursuing corporate graft...A spate of scandals in Europe suggest that prosecutors, as well as the politicians who influence how much freedom judicial investigators enjoy, are becoming ever less tolerant of corporate corruption" (Click here for the article) - Europe, USA

Fraud biggest business risk to Middle East Businesses  | Gulf Digital News

"48% of Middle East businesses cited fraud and corruption as the greatest risk to their company, followed by cyber attacks (38%)..." (Click here for the article) - Middle East

Vietnam arrests oil refinery executives amid corruption crackdown  | Reuters

"Police in Vietnam arrested the chairman and the chief accountant of Binh Son Refining and Petrochemical Co. Ltd. on suspicion of embezzlement..." (Click here for the article) - Vietnam

UK Data Protection Act 2018  | Cordery Compliance

"The UK's new data protection legislation, the Data Protection Act 2018 (DPA 2018) received the Royal Assent..." (Click here for the article) - UK, Europe

Serious Fraud Office charges against Barclays dismissed  | Independent

"A court has dismissed charges brought by the Serious Fraud Office against Barclays relating to capital raisings that took place in 2008." (Click here for the article) - UK, Europe

 

 

Monday Compliance News - Around the World

GCSG's Monday Compliance News is a compilation of some of the previous weeks interesting trade compliance, anti-bribery/corruption, fraud, and due diligence news bites, from around the world.

With GDPR looming, key compliance questions still remain | DIGIDAY

"For better or worse, preparing for the General Data Protection Regulation is a do-it-yourself exercise for advertisers in the absence of stronger direction from regulators." (Click here for the article) - European Union

Turkish banker guilty of helping Iran dodge US sanctions  | Reuters TV

WATCH: US jury finds Turkish banker guilty of helping Iran dodge US sanctions (Click here for the video) - Iran, Turkey, United States

Firms can choose not to enter corruption-ridden markets | The Straits Times

"Many well-established multinationals have decent corporate cultures.  Their top managements have been known to decide that if a country operates by practices in keeping with the company ethos, they would not do business in that country." (Click here for the article) - Singapore

Drug Company Allegedly Bribed Doctors to Sell its Powerful Opioid Spray | Gizmodo

"The State of North Carolina is suing a pharmaceutical manufacturer for allegedly bribing doctors and defrauding insurers in order to sell more of its powerful fentanyl spray, fanning the flames of the opioid crisis that has millions addicted and is shortening lifespans." (Click here for the article) - United States

PWC faces negligence claim over $2bn fraud at Colonial Bank | The Times

"Auditors at PWC were negligent and missed a 'Red Flag' over a huge fraud that contributed to the collapse of a bank during the financial crisis, an American court has found." (Click here for the article) - Global

CSA Issues New Code of Conduct for GDPR Compliance

On November 21, the Cloud Security Alliance (CSA) released their Code of Conduct for compliance with the European General Data Protection Regulation (GDPR).  The GDPR Code of Conduct (the "Code") provides cloud service providers, cloud customers, and potential customers with guidance to assist with complying with the new requirements found within the GDPR.    

The CSA About web page states they are the "world's leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment." (1)

The Code is structured to meet the mandatory data protection requirements under Directive 95/46/EC as well as the upcoming requirements of the GDPR.  

"...the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs (Cloud Service Providers)." - Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group (2)   

Key Link(s):