Egnyte, a leader in secure content collaboration and governance, has released its latest report titled Hacked and Exposed: What Business Leaders Need to Know About Cyber Threats. The report’s findings highlight cybersecurity trends, with 28% of Americans going months without realizing they’ve been hacked, often targeting their financial accounts and leading to significant monetary losses.

According to a comprehensive survey of 1,301 U.S. heads of household, cybercriminals are utilizing increasingly sophisticated tactics to exploit security vulnerabilities. These tactics include phishing emails, weak passwords, and social engineering strategies.

Kris Lahiri, Chief Security Officer and Co-Founder of Egnyte, stated, “The report not only underscores the prevalence of cyberattacks but also the concern that many people remain unaware of breaches for an extended period. This delay allows hackers to compromise multiple accounts.”

He emphasized the importance of reviewing and strengthening personal and professional security practices, such as diversifying passwords to reduce the risk of attacks.

The report also highlights the sectors most vulnerable to cyberattacks:

41% reported being financially hacked, making them the most vulnerable group in the study. 36% of individuals working in banking and finance experienced financial hacks, emphasizing the need for stronger cybersecurity.

31% of professionals were targeted by phishing and email-based attacks. Workers in office and healthcare settings also experienced high rates of cyberattacks, with 29% of office employees and 25% of healthcare workers reporting financial hacks.

Neil Jones, cybersecurity evangelist at Egnyte, remarked, “The findings regarding work location may surprise many. It’s often assumed that on-site offices provide better security. Still, our report suggests that organizations with remote workforces are more proactive in cybersecurity training, network security, and access control than those with only on-site employees.”

Security researchers from Cisco Talos have discovered multiple vulnerabilities in Adobe Acrobat, potentially allowing attackers to execute arbitrary code or access sensitive information. These flaws primarily stem from issues in the software’s font handling functionality.

The identified vulnerabilities include out-of-bounds read flaws and a memory corruption issue, which could be exploited through maliciously crafted PDF files.

CVE-2025-27163 & CVE-2025-27164 may lead to sensitive information disclosure. Attackers could leverage these weaknesses to gain unauthorized access to system data.
CVE-2025-27158 is a memory corruption vulnerability caused by an uninitialized pointer in Adobe Acrobat’s font processing. If exploited, this flaw could allow an attacker to execute arbitrary code.

The susceptibilities affect various versions of Adobe Acrobat, though specific impacted versions have not yet been disclosed in detail. If successfully exploited, these exposure could allow attackers to steal sensitive data from affected systems. It can remotely execute malicious code and gain unauthorized system access.

Given the widespread use of Adobe Acrobat for PDF management, these security issues pose a significant risk to individual users and businesses alike.

To protect against potential exploits, users and organizations should take immediate action. Adobe has released patches addressing these harms. Users are urged to apply the latest security updates promptly. Avoid opening PDF documents from untrusted or unknown sources. Implement endpoint security solutions and intrusion detection systems to mitigate exploitation risks.

On March 4, 2025, Senators Ed Markey (D-MA) and Bill Cassidy (R-LA) reintroduced the Children and Teens’ Online Privacy Protection Act (COPPA 2.0), aiming to enhance online privacy safeguards for minors. ​

COPPA 2.0 prohibits digital platforms from directing targeted ads at children and teenagers.​ This law requires companies to limit the collection of personal data from minors and mandates the deletion of such data. It restricts internet companies from gathering data from users aged 13 to 16 without explicit permission.​

Senator Markey has persistently championed this legislation since its initial introduction in 2011. In the previous Congress, COPPA 2.0 was incorporated into a broader children’s online safety bill, which the Senate approved with a 91-3 vote in July. However, the House of Representatives did not proceed with a vote on the bill.​

The reintroduction has garnered support from numerous children’s advocacy groups, teacher unions, privacy organizations, and medical associations. Senator Cassidy emphasized the bill’s significance: “COPPA 2.0 is the tool that will give parents the peace of mind they need and keep their children’s personal information secure.”​

Advocates highlight the increasing surveillance of children across social media and gaming platforms, where companies collect data to track, profile, and influence young users. Katharina Kopp, deputy director of the Center for

Digital Democracy, noted, “Children’s surveillance has only intensified across social media, gaming, and virtual spaces, where companies harvest data to track, profile, and manipulate young users.”​

The continuation of COPPA 2.0 underscores a continued legislative effort to strengthen online privacy protections for minors in the digital age.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five security vulnerabilities affecting Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog. This action signals that these flaws are actively exploited in the wild, posing significant risks to affected systems.

One of the vulnerabilities, CVE-2023-20118, affects Cisco Small Business RV Series Routers. This command injection flaw exists in the router’s web-based management interface, allowing authenticated remote attackers to gain root-level privileges and access sensitive data. Cisco has not provided a fix since these routers have reached their end-of-life status, leaving organizations vulnerable.

Two security flaws in the Hitachi Vantara Pentaho BA Server, CVE-2022-43939 and CVE-2022-43769, have also been flagged. The first vulnerability arises from an authorization bypass issue, enabling attackers to access resources through non-canonical URL paths. The second flaw allows attackers to inject malicious Spring templates into configuration files, leading to arbitrary command execution. Both issues were addressed in security updates released in August 2024.

An older vulnerability, CVE-2018-8639, affecting Microsoft Windows Win32k, has resurfaced as an active threat. This flaw, which allows local privilege escalation through improper resource handling, was initially patched in December 2018 but is still targeted in modern attack campaigns.

Another high-risk vulnerability, CVE-2024-4885, affects Progress WhatsUp Gold, a widely used network monitoring software. This path traversal vulnerability enables unauthenticated, remote attackers to execute arbitrary code on affected systems. The flaw was patched in June 2024 with version 2023.1.3, but ongoing exploitation attempts have been observed.

CVE-2023-20118 is being leveraged to conscript vulnerable Cisco routers into a botnet called PolarEdge. At the same time, the exploitation of CVE-2024-4885 has been detected globally. Security researchers from the Shadowserver Foundation and GreyNoise report that attack attempts have originated from Hong Kong, Russia, Brazil, South Korea, and the United Kingdom.

CISA has identified active exploitation of vulnerabilities. To ensure their systems are safeguarded, they have mandated that Federal Civilian Executive Branch (FCEB) agencies implement mitigations by March 24, 2025. Organizations using affected products are strongly urged to take action. They should apply the latest patches or implement alternative security measures, which will help prevent potential attacks.

“Cybersecurity wasn’t necessarily a significant issue for in-house counsel 10-15 years ago. But now, companies have so many more obligations regarding information security and data privacy than they did even a decade ago,” writes Theodore F. Claypoole in The National Law Review.

“Initially, cybersecurity was an issue primarily for regulated companies. Then, companies with widespread consumer contact found themselves having to meet greater regulatory burdens. Today, though, cybersecurity is an issue for virtually every company, and it is important those efforts fit into a corporate compliance and ethics program.”

Read the article.

“Goodwin Procter LLP suffered a data breach after a vendor that it uses for large file transfers was hacked, according to an internal memo obtained by news outlets,” reports Lawyer Monthly in their Legal News.

“The memo, circulated on Tuesday by managing partner Mark Battencourt, said Goodwin was notified of the security issue on 22 January and immediately stopped using the service. The firm also retained the services of a third-party forensic expert an launched an investigation into the breach.”

“‘Our investigation revealed a small percentage of our clients may have experienced unauthorized access to or acquisition of confidential material’ on 20 January, Battencourt said in the memo. ‘Clients whose data may have been directly impacted as a result of this matter have been notified, and we have also communicated the security incident to all firm clients.'”

“The investigation also revealed that ‘only a few Goodwin employees were affected’ by a breach, all of whom had also been notified. The memo added that none of the firm’s resources appeared to have been impacted other than the file transfer service.”

Read the article.

“The Federal Trade Commission reached a settlement with Zoom to resolve allegations that the company engaged in misleading security practices. The use of the videoconferencing platform skyrocketed during the pandemic, particularly in the healthcare and education sectors, which spotlighted its security risks,” reports Jessica Davis in Health IT Security’s Cybersecurity News.

“The settlement requires Zoom to establish and implement a comprehensive security program and prohibits the vendor from misrepresenting its privacy and security, as well as other ‘detailed and specific relief to protect its user base.'”

“The Commission’s complaint alleges that Zoom made misrepresentations regarding the strength of its security features and implemented a software update that circumvented a browser security feature,” according to the FTC majority statement. “The proposed order provides immediate and important relief to consumers, addressing this conduct.”

Read the article.

Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties:

Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid.

Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident.

Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting.

Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes.

Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders.

Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates.

Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees.

And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s.

Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues.

Background – In re: Capital One Consumer Data Security Breach Litigation

The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company.

In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel).

For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense.

During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report.

Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.

“5Dimes and the U.S. Department of Justice reached a $46.8 million settlement of an investigation into illegal US sports betting operations, as well as money laundering and wire fraud,” reports Matthew Waters in Legal Sports Report.

“The company announced an intent to enter the US sports betting market following the deal, although state regulators likely will balk at the long list of criminal activity detailed in the settlement.”

“5D Holdings and owner Laura Varela will forfeit the illegally obtained gambling proceeds as part of a settlement with the US Attorney’s Office Eastern District of Pennsylvania into the criminal investigation of 5Dimes’ offshore operations in Costa Rica.”

Read the article.

Facebook brought suit against two marketing analytics firms alleging the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms … “(including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms,” reports Jeffrey Neuburger in Proskauer.

“According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become ‘panelists’ impacting marketing strategies of large companies.”

Read the article.

“Kentucky will receive more than $1.9 million as its share of a settlement with a company over a data security breach that compromised the personal information of 78.8 million Americans,” reports Steve Rogers in WTVQ’s Local News.

“Anthem, Inc. agreed to pay $39.5 million to 43 states and the District of Columbia. Kentucky will receive $1,929,942.02. In addition to the payment, Anthem has also agreed to a series of data security and adequate governance provisions designed to strengthen its practices going forward, according to Attorney General Daniel Cameron, who announced the settlement.”

Read the article.

“Fake websites for four large law firms created in 2008 might have been part of an attempt to get insider information on pending Wall Street deals, according to newly declassified FBI documents,” reports Debra Cassens Weiss in ABA Journal’s Cybersecurity News.

“The targeted law firms were Greenberg Traurig; Sullivan & Cromwell; Wachtell, Lipton, Rosen & Katz; and Cravath, Swaine & Moore.”

“Sullivan & Cromwell told the FBI that it thought the scammer was trying to intercept email with information about mergers and acquisitions.”

Read the article.

Lawyers for Facebook are “trying to convince a judge they should be allowed to settle a class action lawsuit that accuses the company of violating users’ privacy,” reports Bobby Allyn in NPR’s Technology.

“Facebook agreed earlier this year to pay $550 million to settle the case, which claims that the tech giant illegally used facial-recognition technology in its ‘tag suggestions’ service.”

“The deal was the largest-ever payout as the result of a class-action lawsuit alleging online privacy violations.”

“…under the settlement, people who have had their face data harvested in Illinois are expected to receive checks of just $150.”

“U.S. District Judge James Donato of California, who is overseeing the case, says that payout is woefully inadequate.”

Read the article.

To help businesses build effective privacy compliance programs that also enable responsible uses of data, the Centre for Information Policy Leadership at Hunton Andrews Kurth has issued a report on how leading companies have implemented robust privacy programs and accountability controls.

The report is the culmination of CIPL’s Accountability Mapping Project, launched in September 2019. It is based on interviews with numerous organizations with mature privacy programs and an analysis of their specific accountability practices. It provides examples of how organizations in different sectors and geographies, and of various sizes, implement effective data privacy management programs and how these programs map to the CIPL Accountability Framework, which was previously outlined here.

The COVID-19 crisis has highlighted the importance of implementing organizational accountability through data privacy and governance programs. This enables businesses and government agencies to effectively leverage personal data and modern technologies to address public health emergencies without undermining the privacy of individuals. With the acceleration of data-driven innovation and the digital transformation of society in the post-COVID world, corporate boards and senior leaders will be addressing data privacy as a business and trust imperative. This report provides practical examples of how leading organizations implement data privacy accountability measures and embed accountability into their organizational ethos.

“The findings of our report demonstrate that we are squarely moving into the era of data privacy accountability. Enlightened senior leaders in businesses and public bodies see accountability as a board-level business and data strategy issue, and a prerequisite for public trust and sustainable data uses,” CIPL President Bojana Bellamy said. “This report shows that accountability is scalable to both big and small organizations. It illustrates best-in-class practices and success stories to support the effectiveness of an accountability framework in promoting responsible data practices.”

CIPL has worked extensively on privacy accountability and has been advocating for the implementation of accountability principles by organizations around the world. Accountability is also being championed by visionary senior leaders and chief privacy officers in the world’s leading companies and has been encouraged by many forward-thinking data privacy regulators and lawmakers in the US, Canada, Europe, Asia-Pacific and Latin America. Additionally, many jurisdictions such as the European Union, Brazil, Singapore, India and Canada have incorporated, or are in the process of incorporating, accountability into their data protection laws.

Download the report.

“Texas courts shut down websites and disabled servers late last week in response to a ransomware attack, the Office of Court Administration announced Monday,” reports Dave Boucher in The Dallas Morning News’ Courts.

System administrators discovered early Friday that hackers had taken over at least a portion of the statewide court network and demanded some form of ransom in return for restoring control. In a statement, the administration said the attack began “in the overnight hours” the same day it was discovered.

The state did not specify what exactly hackers requested or how they gained access to the system, and a spokeswoman did not return a phone call seeking comment. The court system is working with state law enforcement to investigate the breach and vowed not to pay any ransom.

The administration runs the information technology services for Texas appellate courts and state judicial agencies, including the Texas courts website.

Read the article.

“Grubman Shire Meiselas & Sacks, a large media and entertainment law firm, appears to have been the victim of a cyberattack that resulted in the theft of an enormous batch of private information on dozens of celebrities, according to a data security researcher,” reports Todd Spangler and Shirley Halperin in Variety’s Digital News.

“The trove of data allegedly stolen from the New York-based firm by hackers — a total of 756 gigabytes — includes contracts, nondisclosure agreements, phone numbers and email addresses, and ‘personal correspondence,’ according to an image of the hackers’ post provided to Variety by Emsisoft, a cybersecurity software and consulting company specializing in ransomware.”

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list.”

Read the article.

“A virtual hearing can be challenging for any regulatory lawyer. It requires relying on technology more than ever to advocate for clients. It can feel like talking to an empty room, even if you’re on camera. Plus it requires attorneys to get results for our clients without the benefit of interpersonal contact with the judge, commissioners or staff. However, having survived my first virtual evidentiary hearing before a state energy commission in April 2020 – and with the benefit of hindsight – it’s like everything lawyers do for the first time in our practice: It’s a challenge until you do it. And like the first oral argument we made or the first hearing we ever litigated, we learn lessons and improve each time,” writes Tara S. Kaushik in Holland & Knight’s Insights.

“We will likely face more than a few virtual hearings given the current pandemic and shelter-in-place orders. Currently, many state regulatory agencies have postponed evidentiary hearings or scheduled briefs and telephonic oral arguments to narrow the issues requiring hearings. But that can only last so long, given that utilities, power grid operators, pipelines and other energy companies have to continue doing business as essential services.

The post provides some practical tips to manage the challenges of a virtual hearing.

Read the article.

“Equifax will pay Massachusetts $18.2 million and change its security practices as part of a settlement between the credit reporting agency and the state stemming from a major 2017 data breach, Attorney General Maura Healey announced Friday,” reports Chris Lisinski in WBUR’s Bostonomix.

“Healey sued Equifax shortly after the company’s alleged missteps exposed personal data, including Social Security numbers and driver’s license numbers, of 147 million Americans and 3 million Massachusetts residents. The attorney general said the company also failed to notify consumers in a timely manner once the breach occurred.”

“Her office reached its own settlement with Equifax about nine months after declining to join other states in July 2019 agreements, which the attorney general told reporters allowed Massachusetts to secure a larger payment and more strict conditions on the company.”

Read the article.

“Over the last several weeks, virtual meetings have become the new normal for many businesses. Improvements in the technology now mean that virtual meetings have a similar look and feel as in-person meetings. However, there is a much greater risk to valuable information (personal and confidential) in a virtual meeting environment. Some of these risks are associated with the data that are collected and disclosed by the provider of the virtual meeting platform itself. Others arise from inadvertent disclosures or access to virtual meeting rooms by uninvited third parties. Therefore, it is important for organizations to have policies in place that address the need for enhanced cybersecurity and data protection,” warns Kevin Pomfret from Williams Mullen in JD Supra.

“Since Zoom seems to be one of the most popular virtual meeting tools, this alert will discuss how to address these risks on its platform. However, many of these same risks are also associated with other virtual meeting platforms. As a result, it is important to review user instructions, Terms and Conditions and Privacy Policies in order to identify and implement similar protective measures for other virtual meeting services.”

Read the article.

“On March 27, 2020, a five-year legal battle between three certified classes of Jeep Cherokee drivers and Fiat Chrysler came to a sudden end, when a federal judge in the Southern District of Illinois held that allegations that the vehicles were vulnerable to cyber-attacks did not give plaintiffs standing to sue under Article III of the Constitution,” reports Melissa D. DiGrande in Proskauer’s Appellate.

“U.S. District Judge Staci M. Yandle—who was assigned to the case in April 2019, after Judge Michael Reagan retired—did not take lightly her decision to grant defendants’ motion to dismiss for lack of jurisdiction, given the lengthy history of the dispute. Discovery had been completed, experts had been retained, and several motions involving the same standing issues had already been resolved—in plaintiffs’ favor. But, as Judge Yandle explained, a federal court has ‘an independent obligation at each stage of the proceedings’ to ensure that it has subject matter jurisdiction over the litigation. Ultimately, defendants’ persistence paid off and resulted in the full dismissal of the claims, with prejudice.”

Read the article.