In November 2023, the New York Department of Financial Services (NYDFS) issued its second amendment to its "Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500). This was the...more
4/10/2025
/ Chief Information Security Officer (CISO) ,
Compliance ,
Covered Entities ,
Cybersecurity ,
Filing Deadlines ,
Financial Services Industry ,
New Regulations ,
NYDFS ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management ,
Vulnerability Assessments
The U.S. Securities and Exchange Commission's (SEC) Division of Corporate Finance (Division) published a statement on May 21, 2024, regarding how public companies may disclose cyber incidents they determined to be immaterial....more
On November 27, 2023, the California Privacy Protection Agency (CPPA) released draft regulations mandating notice, opt-out, and information access requirements for companies using automated decision-making technology (ADMT)...more
12/8/2023
/ Artificial Intelligence ,
Automated Decision Systems (ADS) ,
Business Entities ,
California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Criminal Justice Reform ,
Cybersecurity ,
Employer Liability Issues ,
Financial Services Industry ,
Healthcare ,
Machine Learning ,
New Rules ,
Notice Requirements ,
Opt-Outs ,
Regulatory Agenda ,
Technology Sector ,
Transparency
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (UK NCSC), along with partner agencies from 17 nations, have released Guidelines for Secure AI System Development (the...more
12/5/2023
/ Artificial Intelligence ,
Asset Protection ,
Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Threats ,
Cybersecurity ,
Documentation ,
Executive Orders ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Infrastructure ,
Machine Learning ,
NCSC ,
NIST ,
Popular ,
Risk Management ,
Supply Chain
The CPPA kicked off a first round of rulemaking in May 2022 and finalized that set of rules in March of this year. At the latest California Privacy Protection Agency (CPPA) meeting, the CPRA Rules Subcommittee (Rules...more
8/18/2023
/ Artificial Intelligence ,
Audits ,
Automated Systems ,
California ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Criminal Justice Reform ,
Cybersecurity ,
Machine Learning ,
New Regulations ,
Personal Information ,
Popular ,
Privacy Laws ,
Risk Assessment ,
Rulemaking Process
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Final Rule") by a...more
According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The...more
6/28/2023
/ Broker-Dealer ,
Business Development Companies ,
Corporate Governance ,
Corporate Strategy ,
Cyber Incident Reporting ,
Cybersecurity ,
Investment Adviser ,
Proposed Rules ,
Publicly-Traded Companies ,
Registered Investment Advisors ,
Regulatory Agenda ,
Risk Management ,
Rulemaking Process ,
Securities and Exchange Commission (SEC)
On April 11, 2023, the Department of Commerce, through the National Telecommunications and Information Administration (NTIA), issued a request for comments (RFC) on AI system accountability measures and policies. The “AI...more
The Colorado Attorney General's Office released the final version of its rules implementing the Colorado Privacy Act (CPA) on March 15. The CPA was enacted on July 7, 2021 and the first draft of the implementing rules were...more
The U.S. Securities and Exchange Commission ("SEC" or the "Commission") has ordered Blackbaud, Inc. ("Blackbaud") to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware...more
3/16/2023
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Disclosure Requirements ,
Enforcement Actions ,
Hackers ,
Misleading Statements ,
Popular ,
Ransomware ,
Securities and Exchange Commission (SEC) ,
Securities Violations
On January 26, 2023, the National Institute of Standards and Technology (NIST) released the final version of its AI Risk Management Framework (RMF). ...more
The U.S. Securities and Exchange Commission (SEC) appears to have big plans for cybersecurity regulation in 2023....more
On December 21, 2023, the Colorado Attorney General released a second draft of the Colorado Privacy Act Rules, revising the previous draft of the proposed rules. Our analysis of the first draft of the rules can be found here....more
In a significant move toward replacing the invalidated Privacy Shield, the European Commission (EC) released a draft Adequacy Decision on December 13, 2022, concluding that the U.S. legal framework provides an adequate level...more
The New York Department of Financial Services (NYDFS) has proposed significant amendments (Proposed Amendments) to its Cybersecurity Requirements for Financial Services Companies (Cybersecurity Regulation)....more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
October was a busy month in New York for cybersecurity enforcement. In addition to a $4.5 million settlement between the New York Department of Financial Services and EyeMed Vision Care (discussed in a forthcoming blog post),...more
In March 2022, the US and EU announced they had agreed in principle to a new Trans-Atlantic Data Privacy Framework (Framework) intended to simplify transfers of personal information. After months of waiting for the final...more
The Colorado Attorney General's Office has published its much-anticipated proposed rules (Proposed Rules) implementing the Colorado Privacy Act (CPA), which, as we discussed in an earlier blog post, was enacted on July 7,...more
On August 18, the National Institute of Standards and Technology (NIST) released a second draft of its Artificial Intelligence Risk Management Framework (the Second Draft) for public comment. The first draft was released in...more
The Federal Trade Commission has formally launched a rulemaking proceeding that nominally is focused on consumer privacy issues, but actually raises significant questions about the impact of artificial intelligence/machine...more
Newly proposed amendments to the New York Department of Financial Services' (NYDFS) already-comprehensive cybersecurity rules would impose heightened cybersecurity requirements on large financial institutions and additional...more
On May 25, 2022, the European Commission announced the release of a new guidance document relating to standard contractual clauses (SCCs) and international data transfers. The guidance is included in a series of questions and...more
The California Privacy Protection Agency Board (the "CPPA Board") announced on May 27, 2022, that it would hold a public meeting on June 8 to discuss, among other things, a set of detailed proposed regulations to "Implement,...more
6/6/2022
/ California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Opt-Outs ,
Personal Information ,
Proposed Regulation ,
State Privacy Laws