Privacy Archives - Discerning Data

The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a cyberattack resulting in the theft of approximately $1.5 billion in Ethereum tokens. This attack marked a new pinnacle in the criminal efforts of cyber actors tied to the Democratic People’s Republic of Korea (“North Korea” or the “DPRK”). In recent years, these malicious actors have increasingly targeted the cryptocurrency industry, leveraging sophisticated tactics to steal and launder digital assets for the ultimate benefit of funding the North Korean government. These high-profile and high-dollar-value exploits underscore the ongoing risk from the DPRK cyber threat and the need for private sector actors to implement appropriate cybersecurity measures to combat these threats. The threat is particularly acute since most interactions with these actors raise the additional risk of committing a violation of U.S. sanctions, with corresponding civil and criminal legal exposure.

This blog post delves into the details of recent cybercriminal activity attributed to actors tied to North Korea, their impact on the cryptocurrency sector, and the steps organizations should consider to mitigate those risks.

Continue reading “The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself”

Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services

Introduction

On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision. The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems. As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.

Summary of the PayPal Enforcement Decision

The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500. These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.

Continue reading “Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services”

Countries Poised to Adopt New Cybersecurity Measures After UN Adopts Major Cybercrime Convention

On August 7, 2024, after three years of negotiation, the United Nation’s Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes unanimously adopted the Convention Against Cybercrime. The Convention now goes to the General Assembly, where it is expected to be adopted. If ratified by 40 member states, the Convention will enter into force.

Continue reading “Countries Poised to Adopt New Cybersecurity Measures After UN Adopts Major Cybercrime Convention”

New UK Consumer Laws on Fake Reviews, Subscription Contracts and Drip Pricing: Impact on US Businesses

In May of this year, the UK Government passed the Digital Markets, Competition and Consumers Act (DMCC) into law. The DMCC is wide-ranging and covers three key areas: consumer law, digital markets, and merger and antitrust law.

In the first of our series of blog posts, we set out key points on the significant changes to consumer laws and regulatory enforcement powers of which US businesses selling to UK consumers need to be aware ahead of the law coming into force, which is expected to be later this year.

Continue reading “New UK Consumer Laws on Fake Reviews, Subscription Contracts and Drip Pricing: Impact on US Businesses”

EU Artificial Intelligence Act – Legislation Adopted by the European Council

The long-awaited European Union Artificial Intelligence Act (the AI Act) is nearing implementation following its adoption by the European Council yesterday (21 May 2024). This signals the completion of the final major stage of the European Union (EU) legislative process and the AI Act is expected to enter into force imminently. We considered the impact of this legislation in detail in our previous article: EU Artificial Intelligence Act — Final Form Legislation Endorsed by European Parliament.

The only remaining formalities are the signature of the President and Secretary-General of the European Parliament and Council and publication in the Official Journal, which is expected to happen in the coming days. The AI Act will enter into force 20 days after this takes place. The AI Act will become fully applicable 24 months after its entry into force (June 2026). However, some provisions will apply before that date.

Continue reading “EU Artificial Intelligence Act – Legislation Adopted by the European Council”

NIST Releases Cybersecurity Framework 2.0

On February 26, 2024, the National Institute of Standards and Technology (NIST) released the NIST Cybersecurity Framework 2.0 (CSF 2.0). CSF 2.0 represents the first major update to the Cybersecurity Framework, which was first released in February 2014. CSF 2.0 provides an increased focus on entities’ governance functions and broadens the CSF’s scope. For companies subject to state and federal standards demanding “reasonable security,” CSF 2.0 is particularly important because it could very well become the de facto standard of care under various cybersecurity and data privacy laws.

Focus on Governance

CSF 2.0 builds on the five high-level functions from CSF 1.0 (Identify, Protect, Detect, Respond, and Recover) by introducing a new core function—Govern. This function focuses on ensuring that an organization’s cybersecurity risk management strategy, expectations, and policies are established, communicated, and monitored. In particular, this new core function emphasizes that an organization’s cybersecurity framework must be (i) based on the organization’s individual circumstances, goals, and risk appetite; (ii) well established and communicated within the organization to ensure compliance and continuity; and (iii) continually reviewed and improved.

Continue reading “NIST Releases Cybersecurity Framework 2.0”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Category: Privacy