Democrats urge FTC to make privacy rules while fight over a federal law drags on

U.S. Sen. Richard Blumenthal (D-CT) speaks during a news conference outside the U.S. Capitol on April 29, 2021 in Washington, DC. (Photo by Stefani Reynolds/Getty Images)

Written by Tonya Riley
SEP 20, 2021 | CYBERSCOOP

Nine Senate Democrats are urging the Federal Trade Commission to make new data privacy rules that will work in parallel with the long-running effort by Congress to reach an agreement on a federal privacy law.

Lawmakers are urging the agency to look at better protecting vulnerable communities from discriminatory data practices, as well as requiring companies to get consumers to explicitly opt into having their data collected.

“We believe that a national standard for data privacy and security is urgently needed to protect consumers, reinforce civil rights, and safeguard our nation’s cybersecurity,” the group of Senators led by Richard Blumenthal, D-Conn., wrote.

The letter comes in response to frustrations that the FTC’s current rules against unfair and deceptive practices have proven ineffective to take on major privacy violations and data breaches by technology companies. Leaning on the authority in lieu of strong national privacy protections has forced the agency to “be reactive, not proactive,” Jessica Rich, former director at the bureau of consumer protection at the FTC, recently told CyberScoop.

“Continuous high-profile and costly privacy violations and data breaches have shown the limits of the FTC’s general prohibition on unfair and deceptive practices,” the senators wrote. “Big Tech companies have routinely broken their promises to consumers and neglected their legal obligations, only to receive wrist-slap punishments after long delay, providing little relief to consumers, and with minimal deterrent effect.”

Members say in the letter that the FTC’s Magnuson-Moss rulemaking process, which requires extensive public comment and discussion, would contribute to congressional efforts to develop federal privacy law. The agency recently voted along party lines to streamline that process to make it less cumbersome.

Congress has debated more than half a dozen dueling proposals for federal privacy legislation in recent years, including legislation brought at some point by nearly all of the letter’s signatories. None have made it to a final vote.

The call for action from the Senate follows efforts in the House last week to advance a that would set up a $1 billion dollar privacy bureau within the FTC.

An FTC spokesperson confirmed that the agency received the letter but declined to comment.

Updated 9/20/21: with FTC response.

-In this Story-

data breach, Federal Trade Commission (FTC), privacy

Treasury sanctions cryptocurrency platform for working with ransomware payments

The Treasury Department, Washington, D.C. (Getty Images)

Written by Tonya Riley
SEP 21, 2021 | CYBERSCOOP

The Treasury Department on Tuesday announced sanctions against a cryptocurrency exchange for facilitating transactions involving money illegally gained via ransomware hacking, the first action of its kind.

The sanctions against Russia-based exchange Suex are a significant step by the Biden administration in making it harder for cybercriminals to access payments, with the ultimate goal of disrupting the rapid rise of ransomware attacks. (The government did not disclose which hacking groups allegedly laundered their funds through the service.)

“Exchanges like Suex are critical to attackers’ ability to extract profits from ransomware attacks. This action is a signal of our intention to expose and disrupt illicit infrastructure using these attacks,” said Wally Adeyemo, deputy secretary of the Treasury Department.

Over 40% of Suex’s transactions are associated with illegal activity, according to the Treasury Department. The new sanctions block all of Suex’s property and business interests in the U.S. and threaten additional sanctions for any individuals who engage with the platform.

The exchange has received over $160 million from ransomware actors and other cybercriminals, according to cryptocurrency analysis firm Chainalysis. An analysis of Suex’s activity shows that multiple deposit addresses belonging to the exchange were included in a group of just 273 addresses identified by Chainalysis as receiving 55 percent of all funds sent from illicit addresses in 2020.

The firm could not immediately be reached for comment.

The Treasury Department’s Office of Foreign Assets Control has sanctioned organizations associated with supporting ransomware before. In 2019 the U.S. government sanctioned Evil Corp., a Russia-based cybercriminal organization behind the Dridex malware that was used to steal more than $100 million across 40 countries.

Treasury will prioritize going after the narrow subset of cryptocurrency exchanges that make up a disproportionate amount of illegal activity, Adeyemo said. By laundering cryptocurrency through specific exchanges, hackers aim to hide their activity and disguise any digital evidence trail.

“We’re going to continue to look within this ecosystem…and look for other actions we can take to deter those who facilitate these types of payments, given the importance to protecting our national security and our economy,” said Adeyemo.

Treasury will also investigate cryptocurrency mixers, a technology that mixes cryptocurrency with multiple funds in order to mask its source. The Justice Department in April arrested a Russian-Swedish national, for allegedly laundering $335 million in cryptocurrency through “Bitcoin Fog” mixer, a cryptocurrency service notorious for laundering money for cybercriminals. The Financial Crimes Enforcement Network, an investigative arm of the Treasury Department, has also fined mixers for violating banking regulations designed to protect against money laundering.

OFAC also Tuesday issued an update on its 2020 ransomware guidance, strongly discouraging the payment of ransom attacks or extortion. The advisory encourages victims to report incidents to law enforcement and cooperate with investigations. Early reporting and cooperation will be considered by OFAC in deciding whether to pursue sanctions against victims who decide to pay ransom, said Adeyemo.

Ransomware attacks, which have more than doubled in recent years, pose a significant national security threat to America’s critical infrastructure, U.S. national security officials have concluded.

A ransomware gang thought to be based in Russia attacked an Iowa grain cooperative, the company said Monday, in the latest potential threat to the American supply chain brought by cybercriminals. In two separate attacks earlier this year, hackers brought down major fuel provider Colonial Pipeline as well as meat-supplier JBS.

Anne Neuberger, deputy national security advisor for cyber and emerging technology at the National Security Council, told reporters that the White House is monitoring the latest attack on the Iowa grain cooperative, but has not attributed the attack or found any major impact.

The new sanctions follow a flurry of actions from the Biden administration aimed at disrupting a ransomware crisis that threatens America’s critical infrastructure. That includes ongoing conversations with Russia, a known harbor for cybercriminal activity, and discussions with other global leaders.

The White House will next month host a meeting with international partners next month to discuss ransomware and holding jurisdictions harboring cybercriminals accountable, according to Neuberger.

ORIGINAL News