Right To Know - June 2025, Vol. 30

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action: 

• North Dakota Passes Law on Financial Data Protection and Breach Reporting: On Apr. 11th, North Dakota’s governor signed B. 1127 (“the Act”), establishing new data security and breach notification requirements for financial corporations regulated by the state’s Department of Financial Institutions, excluding banks and credit unions. The Act requires these entities to implement a comprehensive information security program, appoint a designated individual to oversee it, conduct regular risk assessments, and implement safeguards and training based on the identified risks. It also mandates that companies exercise due diligence when selecting service providers to ensure they can maintain appropriate protections for customer information. Additionally, financial corporations must submit annual reports on their security program to their board of directors. In the event of a security incident involving the data of 500 or more customers, they must notify the Department of Financial Institutions within 45 days of discovery, which is broadly defined to include knowledge of the event by any employee or agent. The Act becomes effective on Aug. 1st.

Regulatory: 

• CISA and Partners Publish Best Practices for Securing Data Used to Train & Operate AI Systems: On May 22nd, The Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Federal Bureau of Investigation, and international partners released a Cybersecurity Information Sheet “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems.” The information sheet provides guidance on securing data used in AI and machine learning systems, highlights the importance of data security in ensuring the accuracy and integrity of AI results, and outlines potential risks that can arise from data integrity issues in various stages of AI development and deployment. The information sheet also includes best practices to address data security and integrity issues across all phases of the AI lifecycle.
• Coinbase Chooses Not to Pay $20 Million Ransom After Contractors Bribed to Leak Data: In a recent filing with the SEC, Coinbase reported that it chose not to pay a $20 million ransom demand from a threat actor group. Coinbase explained that the incident happened because a group of rogue contractors were bribed to leak customer data. The group responsible for this bribe then contacted Coinbase and demanded a $20 million ransom to prevent publicizing the incident, which impacted data for less than 1% of Coinbase’s monthly transacting users. The groups targeted with the bribes were contractors in non-U.S. support centers who were already authorized to view the leaked information. Coinbase estimated in its filing that the remediation and reimbursement costs associated with this incident will be between $180 million and $400 million.
• Steel Manufacturer Production Disrupted by Cyberattack: The large steel manufacturing company, Nucor Corporation, recently reported to the SEC that it recently experienced a cybersecurity attack that disrupted its production. While not explicitly stating that the company had experienced a ransomware attack, the description provided to the SEC was consistent with a ransomware attack. The incident resulted in unauthorized access to Nucor’s IT systems and in response, the company was forced to take some systems offline. The incident highlights the need for all companies, not just those involved in the technology sector, to take cybersecurity precautions and responses seriously.
• Financial Institutions Petition SEC to Drop Requirement to Disclose Material Cybersecurity Incidents: A number of financial institution related trade groups petitioned the Securities and Exchange Commission (“SEC”) to amend the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. The groups point out that the rule requires “rapid—often premature— disclosure of material cybersecurity incidents.” The groups then outline why disclosure, in their opinion, is premature, unhelpful to investors and causes confusion under which item such disclosure should be filed. It remains unclear whether this rule may be amended or repealed under the Trump Administration.
• FTC Shows Hand for Upcoming Enforcement Priorities: The Federal Trade Commission Chair, Andrew Ferguson, appeared in front of the Committee on Appropriation of the U.S. House of Representatives on May 15th and delivered testimony that discussed current enforcement priorities. Mr. Ferguson focused heavily on fighting fraud and deceptive trade practices, including combatting fraud and deceptive marketing claims about AI products, while still emphasizing the agency’s hands-off approach to AI governance. The testimony also indicated that the FTC will be focusing on specific types of privacy law violations, such as violations of the Children’s Online Privacy Protection Act (COPPA) and the Gramm-Leach-Bliley Act’s (GLBA) Privacy Rule and Safeguards Rule. Mr. Andrew’s written testimony provides a relatively clear view of the upcoming FTC priorities around AI enforcement, privacy, and platform content moderation policies.

Litigation & Enforcement: 

• Judge Approves $3.25 Million Settlement of Lawsuit from a Class of Policy Holders Against USAA: On May 21st, the United States District Court for the Southern District of New York entered final approval for a settlement agreement between USAA and a class of policy holders in a lawsuit where policy holders alleged they were impacted by a data breach. The final order by the federal court judge approved the $3.25 million settlement, finding the requirements for approval, including that due and adequate notice had been provided to approximately 22,000 policy holders who sued, were met.
• Russian Charged by the US Federal Government for the Qakbot Malware Scheme: On May 22nd, U.S. federal prosecutors unsealed an indictment charging a Russian national with leading a global cybercrime syndicate responsible for the development and deployment of the Qakbot malware. This malware was used to infect thousands of computers worldwide, facilitating ransomware attacks and financial fraud. The indictment includes charges of conspiracy to commit computer fraud and abuse, as well as conspiracy to commit wire fraud. The Qakbot botnet was used to infect thousands of computers, creating a network of infected computers. After gaining access to these infected computers, the Russian national provided access to co-conspirators who then deployed ransomware, who then paid the Russian national a portion of the ransom payments. After the United States government disrupted the botnet, the Russian national continued to use different tactics to attack companies and deploy the ransomware. The Department of Justice has filed a civil forfeiture complaint to seize all illicit proceeds from the Russian national and return the funds to the victims.
• Iranian Man Pleads Guilty for Role in Robbinhood Ransomware: An Iranian national pled guilty for his participation in the Robbinhood ransomware scheme, which compromised U.S. companies’ computer networks and encrypted files to extort ransom payments. According to the DOJ, the City of Baltimore lost more than $19 million due to the ransomware attack and led to the disruption of essential city services. The Iranian national’s participation in the Robbinhood ransomware scheme began in January 2019 and laundered ransom payments through cryptocurrency mixing services. The Iranian national pled guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces a maximum penalty of 30 years in prison.

International Updates: 

• Germany Doxxes Russian Ransomware Leader: Germany’s Bundeskriminalamt (“BKA”), their version of the FBI, has publicly (or “doxxed”) Vitaly Nikolaevich Kovalev as the leader of the Trickbot malware gang and as well as both the Ryuk and Conti ransomware gangs. Doxxing is a tactic that some Western law enforcement agencies have turned to in recent years to attempt to impose costs on individuals committing cybercrime when the individuals are out of the jurisdiction of the relevant law enforcement. For example, Vitaly Kovalev is believed to be living inside of Russia, out of the reach of Germany and the RBA. The costs can include highlighting the wealth in cryptocurrency that these individuals have amassed, making them targets for violence and physical threats from other criminals.
• EU Proposes Limited Watering Down of GDPR: In an anticipated move, the European Commission has, as of May 21st, proposed some changes to how GDPR applies to smaller entities. The specific proposals do not go perhaps as far as was expected, however, and while an increase in the categories of companies which may in the future be exempt from maintaining Article 30 data processing records, arguably the proposals could create legislative, regulatory and enforcement clashes between compliance with GDPR and compliance with other measures such as NIS2 and DORA. The matter will be considered further by the European Parliament or the Council.
• Irish Data Watchdog Issues Updated Statement on Meta AI: On May 21st, the Irish Data Protection Commissioner (DPC) issued an updated report on its engagement with Meta on that company’s plans to train its AI models based on public posts. The period of engagement between the DPC and Meta stretches back to Mar. 2024. The DPC also involved the European Data Protection Board (EDPB) in Sept. 2024, seeking a formal Opinion on the matter. This has culminated in Meta adopting several measures and adaptations to its plans, including notifications to data subjects and the use of Objection Forms. Meta is due to produce a report on these implementations by Oct. 2025. Concerns remain that the “legitimate interest” legal basis relied upon by Meta is insufficient and that “opt-out” goes against core principles underpinning GDPR. There are real-world issues with removing personal data (public or otherwise) from a trained AI model. This quasi regulatory approval may yet draw legal challenges from data privacy advocacy groups across the EU.

Industry Updates: 

• Fake IT Support Scam Leads to Stolen Salesforce Data: According to Salesforce, a group of cyber-criminals are using voice-phishing to scam approximately 20 multi-national organizations into downloading a modified version of Data Loader, a Salesforce app used to facilitate the exporting of large amounts of data. The scammers impersonate IT personnel over the phone and persuade the victims to visit the Salesforce page where they are eventually prompted to enter a pin to allow access to third-party apps. The victim then shares the generated pin with the “IT support” which grants the scammers access and allows them to exfiltrate information.
• Vulnerability in Asus Routers Provides Backdoor Access to Threat Actors: Asus, the manufacturer of routers commonly used in home offices and small businesses recently patched a vulnerability that provided backdoor access to devices. The backdoor access survives both reboots and firmware updates, giving the attacker durable control over the devices. Approximately 9,000 devices have been compromised as a result of the vulnerability. To determine whether a device is infected, users are encouraged to check the SSH settings in the configuration panel. Users can also determine if they’ve been targeted by checking their system logs.
• Florida Bar Adopts Voluntary Model Cybersecurity Incident Response Plan: A May 15th article in the Florida Bar News reported that The Florida Bar has adopted Recommendation 25-1, “Voluntary Implementation of Incident Response Plans” prepared by its Committee on Cybersecurity and Privacy Law. It recommends that members’ law firms “prepare, and annually maintain, an industry-compliant Incident Response Plan.” It includes a Sample Data Mapping Guide, Basic Guidance for Maturity Assessments, Incident Response Plans Recommendations, and a Sample Incident Response Plan Template. It also provides an overview of standard cybersecurity practices tailored to attorneys and law firms.
• Microsoft and Global Allies Target Lumma Stealer Malware in Major Cybercrime Takedown: Microsoft’s Digital Crimes Unit (DCU), in collaboration with international law enforcement agencies, has taken decisive legal action against Lumma Stealer malware. Through a court order in the United States and coordinated efforts with Europol and Japan’s Cybercrime Control Center, Microsoft seized over 2,300 malicious domains and disrupted Lumma’s central command structure. The malware, notorious for stealing sensitive information and facilitating cybercrime, infected over 394,000 Windows computers globally. By redirecting seized domains to Microsoft sinkholes, DCU aims to enhance cybersecurity, hinder cybercriminal operations, and safeguard online users globally.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.