Photo of Michael Vatis

Michael Vatis has spent most of his career addressing cutting edge issues at the intersection of law, policy, and technology. Michael's practice focuses on Internet, e-commerce, and technology matters, providing legal advice and strategic counsel on matters involving privacy, security, encryption, intelligence, law enforcement, Internet gambling, and international regulation of Internet content.

Just when you thought you finally had a handle on CCPA compliance, the California Attorney General has proposed additional modifications to the regulations that recently became final on August 14. Fortunately, the changes are minor. More significant changes to the CCPA may be just around the corner, though, if California voters approve the California Privacy

Co-Authored By Ed KraulandMeredith RathboneJack Hayes & Evan Abrams

On October 1, 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) published advisories on the sanctions and anti-money laundering (AML) risks of facilitating ransomware payments.

Ransomware attacks have become increasingly common in recent years with malicious attacks targeting companies in a variety of industries, including healthcare, technology, and education, among others. Ransomware attacks typically involve a hacker breaching a company’s information technology (IT) infrastructure and encrypting a company’s data or other systems. The attacker then typically demands the victim pay a ransom in exchange for a decryption key that allows the victim to unlock the IT systems or data. Such attacks can have severe consequences for the victim, often preventing the victim from being able to conduct business operations in whole or in part, and, in the case of healthcare companies such as hospitals, can potentially lead to loss of life, as reportedly occurred recently with a ransomware attack on a hospital in Germany. Such inability to conduct business can also have ripple effects on other companies or individuals whose data is affected.  In some instances, an attacker may also threaten to disclose private information or data unless the ransom is paid.

As a result, victims of ransomware attacks often choose to pay the ransom. However, because ransomware attackers rarely, if ever, identify themselves, and often demand payment in cryptocurrency, victims making such payments are generally forced to do so without a clear understanding of the recipient. Such conduct potentially exposes the victim, and third party service providers (including financial institutions and incident response consultants, among others), to violations of and obligations under US sanctions and/or AML laws.

The OFAC and FinCEN advisories provide information to the public regarding the sanctions and AML risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks. While in many respects the guidance does not break new regulatory ground, it is a stark reminder of the way that those trying to deal with the consequences of a ransomware attack can find themselves in trouble with the US government. This puts victims and companies that assist them in a difficult conundrum: don’t pay the ransom and potentially watch the victim company’s business get destroyed, or pay the ransom and run the risk of violating US sanctions and AML laws. It is therefore imperative that victim companies and those in the business of facilitating ransom payments carefully consider the legal risks and evaluate potential ways to avoid or minimize them.

Continue Reading Five Key Takeaways from OFAC and FinCEN’s Ransomware Advisories

On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the regulations implementing the California Consumer Privacy Act (CCPA) have been approved by the California Office of Administrative Law (OAL) and are effective immediately. The attorney general had already begun enforcing the CCPA itself on July 1. But now that the regulations have

On July 1, 2020, the California attorney general is expected to begin enforcing the California Consumer Privacy Act (CCPA), California’s groundbreaking new privacy law which has been in effect since January 1, 2020. In addition, the attorney general is also finalizing regulations that interpret and build upon the CCPA. To minimize the risk of potentially

On March 11, California Attorney General (AG) Xavier Becerra released a third version of draft regulations implementing the California Consumer Privacy Act (CCPA). The third draft contains relatively minor changes from the second draft, which was released in February, suggesting that the AG is  close to finalizing the regulations, and that enforcement is likely to begin on schedule on July 1, 2020.

Continue Reading California Attorney General Releases Third Draft of CCPA Regulations

The California Consumer Privacy Act (CCPA) has been in effect only since January 1, but it has already been cited in a lawsuit, apparently for the first time. On February 3, plaintiffs filed a class action complaint in the US District Court for the Northern District of California against retailer Hanna Andersson, LLC and Salesforce.com,

On February 7, 2020, California Attorney General (AG) Xavier Becerra released a second version of draft regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The second iteration of the Attorney General’s draft regulations contain numerous important changes from the initial draft, some of which are summarized in this alert. One of the most

Last week, California Attorney General Xavier Becerra released much anticipated regulations implementing and interpreting the California Consumer Privacy Act (CCPA). Given the Attorney General’s responsibility for enforcement and the many open questions surrounding the CCPA, even after another round of amendments were passed last month, businesses have been eagerly waiting for the draft regulations to