Major changes are coming again to the Federal Risk and Authorization Management Program ("FedRAMP"), the federal government's cybersecurity authorization program for cloud service providers ("CSPs")....more
4/21/2025
/ Automated Systems ,
Cloud Computing ,
Cybersecurity ,
Data Security ,
FedRAMP ,
Government Agencies ,
Information Technology ,
NIST ,
OMB ,
Regulatory Reform ,
Regulatory Requirements ,
Risk Management
The Department of Justice (DOJ) has issued guidance on its recently effective rule targeting foreign adversaries that "use commercial activities to access, exploit, and weaponize U.S. Government-related data and Americans'...more
4/16/2025
/ Biden Administration ,
Compliance ,
Data Security ,
Department of Justice (DOJ) ,
Enforcement Actions ,
Executive Orders ,
Final Rules ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
National Security ,
New Guidance ,
Regulatory Requirements ,
Trump Administration
The Payment Card Industry Security Standards Council (PCI SSC) has issued an FAQ for ecommerce merchants that outsource their payment card processing to a vendor using an embedded payment page or form (such as an "iframe")....more
In his final days in office, President Biden signed an ambitious executive order to improve the federal government's approach to cybersecurity. Executive Order 14114 ("Executive Order"), issued January 16, 2025, titled...more
2/5/2025
/ Biden Administration ,
Cloud Computing ,
Compliance ,
Cybersecurity ,
Data Security ,
Department of Justice (DOJ) ,
Enforcement ,
Executive Orders ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
FedRAMP ,
General Services Administration (GSA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
NIST ,
OMB ,
Software
The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," to require non-bank financial institutions to report certain data...more
Data breaches come in many different forms, sizes, and levels of complexity, but they tend to share certain key facts: A third-party bad actor—whether through a phishing attack, a ransomware attack, exploitation of a zero-day...more
10/26/2023
/ Bad Actors ,
Breach of Contract ,
Class Action ,
Corporate Counsel ,
Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Federal Rules of Civil Procedure ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Incident Response Plans ,
Litigation Strategies ,
Negligence ,
Personal Information ,
PHI ,
Phishing Scams ,
Popular ,
Ransomware ,
Unfair or Deceptive Trade Practices
Oregon becomes the 12th state with a comprehensive consumer data privacy law -
The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy...more
7/20/2023
/ Consumers ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Data Security ,
Legislative Agendas ,
New Legislation ,
New Regulations ,
Oregon ,
Personal Data ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws
The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. Texas becomes the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa,...more
7/7/2023
/ Biometric Information ,
Compliance ,
Consent ,
Data Privacy ,
Data Protection ,
Data Security ,
Fair Credit Reporting Act (FCRA) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Non-Discrimination Rules ,
Notice Requirements ,
Opt-Outs ,
Popular ,
Private Right of Action ,
Reporting Requirements ,
SBA ,
Sensitive Personal Information ,
Small Business ,
State Privacy Laws ,
Texas
INCDPA takes business-friendly approach to data privacy, following Virginia, Utah, and Iowa -
Indiana has become the seventh state to enact a "comprehensive" data privacy law, joining California, Virginia, Colorado,...more
On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The...more
5/2/2023
/ Business Associates ,
Covered Entities ,
Data Privacy ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Patient Privacy Rights ,
PHI ,
Private Right of Action
The federal government continues to put pressure on cloud service providers. On March 22, 2023, the Federal Trade Commission (FTC) issued a Request for Information (RFI) seeking public input on the market power and business...more
March 2023 was a consequential month for data privacy law. The California Office of Administrative Law (OAL) formally approved regulations issued by the California Privacy Protection Agency (CPPA) implementing the California...more
With the unanimous passage of Senate File 262 by the Iowa House and Senate and the Governor's signature Tuesday, the Hawkeye State joins California, Colorado, Connecticut, Virginia, and Utah as one of six states with a...more
3/31/2023
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
New Legislation ,
Personal Information ,
Privacy Laws ,
Regulatory Reform ,
State Data Breach Notification Statutes ,
State Data Privacy Laws
For businesses subject to data breach notification requirements in Utah and Pennsylvania, a series of significant amendments will soon go into effect in both states. ...more
The Securities and Exchange Commission (SEC or Commission) voted on March 15, 2023, to propose three new sets of rules for data security, cybersecurity, and IT operational resilience. The newly proposed rules would, among...more
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a new program aimed at identifying and preventing ransomware attacks. The initiative is known as the Ransomware Vulnerability Warning...more
The Biden-Harris Administration has unveiled its highly anticipated National Cybersecurity Strategy — a sweeping and ambitious document calling for "fundamental changes to the underlying dynamics of the digital ecosystem."...more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
On November 15, 2022, the Federal Trade Commission (FTC) announced a six-month extension of the deadline to comply with most provisions of its new Safeguards Rule. Covered "financial institutions" under the Safeguards Rule,...more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
October was a busy month in New York for cybersecurity enforcement. In addition to a $4.5 million settlement between the New York Department of Financial Services and EyeMed Vision Care (discussed in a forthcoming blog post),...more
The Colorado Attorney General's Office has published its much-anticipated proposed rules (Proposed Rules) implementing the Colorado Privacy Act (CPA), which, as we discussed in an earlier blog post, was enacted on July 7,...more
The federal Cybersecurity & Infrastructure Security Agency (CISA) has issued a request for information (RFI) seeking public input on its development of cyber incident and ransom payment reporting rules under the Cyber...more
A reminder to financial services firms: the Consumer Financial Protection Bureau (CFPB) is also a data security regulator....more
The Federal Trade Commission (FTC) may have just taken its first steps towards the creation of generally applicable federal privacy and security rules. On Aug. 11, 2022, the FTC published an advance notice of proposed...more