As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Rule")....more
12/15/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Department of Justice (DOJ) ,
Disclosure Requirements ,
FBI ,
Form 8-K ,
Infrastructure ,
New Guidance ,
Popular ,
Publicly-Traded Companies ,
Remediation ,
Securities and Exchange Commission (SEC)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (UK NCSC), along with partner agencies from 17 nations, have released Guidelines for Secure AI System Development (the...more
12/5/2023
/ Artificial Intelligence ,
Asset Protection ,
Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Threats ,
Cybersecurity ,
Documentation ,
Executive Orders ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Infrastructure ,
Machine Learning ,
NCSC ,
NIST ,
Popular ,
Risk Management ,
Supply Chain
Data breaches come in many different forms, sizes, and levels of complexity, but they tend to share certain key facts: A third-party bad actor—whether through a phishing attack, a ransomware attack, exploitation of a zero-day...more
10/26/2023
/ Bad Actors ,
Breach of Contract ,
Class Action ,
Corporate Counsel ,
Data Breach ,
Data Security ,
Department of Health and Human Services (HHS) ,
Federal Rules of Civil Procedure ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Incident Response Plans ,
Litigation Strategies ,
Negligence ,
Personal Information ,
PHI ,
Phishing Scams ,
Popular ,
Ransomware ,
Unfair or Deceptive Trade Practices
The Office of the National Cyber Director (ONCD) has extended the deadline to respond to its Request for Information (RFI) seeking public comment on "opportunities for and obstacles to harmonizing" cybersecurity regulations....more
9/14/2023
/ Cybersecurity ,
Deadlines ,
Department of Homeland Security (DHS) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Infrastructure ,
Interagency Guidance ,
NDAA ,
NIST ,
OMB ,
Popular ,
Proposed Regulation ,
Request For Information ,
Risk Mitigation
The Federal Communications Commission (FCC) has published its notice of proposed rulemaking (the NPRM) detailing the proposed creation of a voluntary cybersecurity labeling program for Internet of Things (IoT) or "smart"...more
On July 26, 2023, the Transportation Security Administration (TSA) issued a revised Security Directive governing the cybersecurity practices of owners and operators of critical liquid and natural gas pipelines and liquified...more
The CPPA kicked off a first round of rulemaking in May 2022 and finalized that set of rules in March of this year. At the latest California Privacy Protection Agency (CPPA) meeting, the CPRA Rules Subcommittee (Rules...more
8/18/2023
/ Artificial Intelligence ,
Audits ,
Automated Systems ,
California ,
California Privacy Protection Agency (CPPA) ,
California Privacy Rights Act (CPRA) ,
Criminal Justice Reform ,
Cybersecurity ,
Machine Learning ,
New Regulations ,
Personal Information ,
Popular ,
Privacy Laws ,
Risk Assessment ,
Rulemaking Process
Iowa becomes the fourth U.S. state to provide an affirmative defense for companies that adopt a cybersecurity framework -
Iowa is the fourth state—following Ohio, Connecticut, and Utah—to provide a statutory incentive for...more
7/19/2023
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
New Legislation ,
Popular ,
Regulatory Reform ,
Risk Management ,
Safe Harbors ,
State and Local Government ,
State Data Breach Notification Statutes
The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. Texas becomes the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa,...more
7/7/2023
/ Biometric Information ,
Compliance ,
Consent ,
Data Privacy ,
Data Protection ,
Data Security ,
Fair Credit Reporting Act (FCRA) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Non-Discrimination Rules ,
Notice Requirements ,
Opt-Outs ,
Popular ,
Private Right of Action ,
Reporting Requirements ,
SBA ,
Sensitive Personal Information ,
Small Business ,
State Privacy Laws ,
Texas
A reminder to non-bank financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with the Federal Trade Commission's (FTC) revised Standards for Safeguarding Customer Information, commonly...more
5/19/2023
/ Compliance ,
Cybersecurity ,
Deadlines ,
Department of Education ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
FTC Act ,
GLBA Privacy ,
Investment Adviser ,
Multi-Factor Authentication ,
New Rules ,
Popular ,
Risk Assessment ,
Safeguards Rule ,
Third-Party Risk
The Securities and Exchange Commission (SEC or Commission) voted on March 15, 2023, to propose three new sets of rules for data security, cybersecurity, and IT operational resilience. The newly proposed rules would, among...more
The U.S. Securities and Exchange Commission ("SEC" or the "Commission") has ordered Blackbaud, Inc. ("Blackbaud") to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware...more
3/16/2023
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Disclosure Requirements ,
Enforcement Actions ,
Hackers ,
Misleading Statements ,
Popular ,
Ransomware ,
Securities and Exchange Commission (SEC) ,
Securities Violations
The Biden-Harris Administration has unveiled its highly anticipated National Cybersecurity Strategy — a sweeping and ambitious document calling for "fundamental changes to the underlying dynamics of the digital ecosystem."...more
While ransomware attacks usually grab the headlines, business email compromise (BEC) attacks continue to cause massive financial losses for businesses. The FBI’s Internet Crime Complaint Center (IC3), reported BEC losses in...more
2/27/2023
/ Anti-Money Laundering ,
Banking Sector ,
BSA/AML ,
Business E-Mail Compromise (BEC) ,
Consumer Financial Protection Bureau (CFPB) ,
Corporate Counsel ,
Data Breach ,
Financial Crimes ,
Financial Institutions ,
Money Laundering ,
Popular ,
Uniform Commercial Code (UCC)
The Federal Communications Commission ("FCC" or "Commission") has released its long-awaited Notice of Proposed Rulemaking ("NPRM") proposing to revise data breach reporting requirements for telecommunications carriers and...more
The Transportation Security Administration (TSA) published an Advance Notice of Proposed Rulemaking (ANPRM) on November 30, 2022, seeking stakeholder comment on ways to strengthen cybersecurity and resiliency for pipeline and...more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC...more
October was a busy month in New York for cybersecurity enforcement. In addition to a $4.5 million settlement between the New York Department of Financial Services and EyeMed Vision Care (discussed in a forthcoming blog post),...more
The Colorado Attorney General's Office has published its much-anticipated proposed rules (Proposed Rules) implementing the Colorado Privacy Act (CPA), which, as we discussed in an earlier blog post, was enacted on July 7,...more
The U.S. electric grid is a prime target for cyberattacks, including by both nation-state actors and organized crime. Electric utilities have been ahead of much of the rest of the energy sector in hardening their...more
A reminder to financial services firms: the Consumer Financial Protection Bureau (CFPB) is also a data security regulator....more
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law by President Biden in March 2022 as part of the Consolidated Appropriations Act of 2022, will require companies operating in...more
On Monday, March 21, 2022, the White House issued a statement warning of "evolving intelligence" that the Russian government may launch cyberattacks aimed at the United States in response to sanctions arising from Russia's...more
Since first announced in December 2021, the critical Log4j vulnerability has stolen the attention of many cybersecurity professionals. The Federal Trade Commission (FTC) has taken notice too....more