On October 21, 2022, the US Department of Health and Human Services, along with the FBI and the Cybersecurity Infrastructure and Security Agency (CISA), issued a bulletin warning that a cyber threat actor group known as "Daixin Team," is actively targeting US businesses, predominantly in the healthcare and public health sectors, with ransomware and data extortion operations. The bulletin contains several technical recommendations that should be passed along and, if possible, implemented by your IT teams.

But cybersecurity begins at the top of an organization, a point the Federal Trade Commission (FTC) emphasized in a proposed consent issued on October 24. In that matter, the FTC alleged that a company's failure to use appropriate information security practices was the responsibility of the CEO. The FTC alleged that the CEO did not implement, or properly delegate responsibility to implement, reasonable information security practices, by failing to hire an executive responsible for information security—although he hired executives for many other areas. In the proposed consent, that individual, for the next 10 years, will be responsible for ensuring that any future company where he is a majority owner or CEO (or similar position) has implemented and maintains a comprehensive information security program.

Steps you can take

  1. If you don't already have one, appoint a senior executive responsible for security of personal data, including policies and procedures as well as an incident response plan—not to mention implementation of the CISA recommendations.
  2. Have that senior officer report to the Board of Directors (or other governing body) at least annually on the effectiveness of your organization's security, as well as any material cybersecurity events that have occurred since the prior report, and any material cybersecurity risks facing your organization.
  3. Conduct a tabletop exercise with senior executives to simulate a cyberattack/ransomware event and see how your organization would respond, including finding and fixing any holes in your current incident response plan.

If you have questions about implementing your security program or conducting ongoing risk assessments, please contact the Norton Rose Fulbright professionals listed below.



Contacts

Denise Webb Glass
Denise Webb Glass
Office Administrative Partner, Dallas
Email
denise.glass@nortonrosefulbright.com
T: +1 214 855 8063
Susan Linda Ross
Susan Linda Ross
Senior Counsel
Email
susan.ross@nortonrosefulbright.com
T: +1 212 318 3280

Industries:

Practice areas:

Recent publications

US government still pausing the Corporate Transparency Act enforcement, despite US Supreme Court win

Publication

US government still pausing the Corporate Transparency Act enforcement, despite US Supreme Court win

The US government announced that it continues to pause mandatory beneficial ownership information filing requirements with the FinCEN

United States | January 27, 2025

Corporate, M&A and securities
US policy changes to critical mineral strategy included in “Unleashing American Energy” executive order

Publication

Policy changes to mineral strategy in “Unleashing American Energy” executive order

President Trump recently signed Executive Order - Unleashing American Energy (EO 14154) and Executive Order - Declaring a National Energy Emergency (EO 14159), which include new mining-related policies.

United States | January 24, 2025

Mining
From paid leave to safety: Employer considerations amid California wildfires

Publication

From paid leave to safety: Employer considerations amid California wildfires

We are deeply saddened by the devastation caused by the recent Southern California wildfires.

United States | January 23, 2025

Employment and labor
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Subscribe now