On April 8, the Office of the Comptroller of the Currency (OCC) officially notified Congress of a significant information security incident involving its email system. This notification, mandated by the Federal Information...more
On October 31, OIG for the Fed and the CFPB released its 2024 Audit of the Board’s Information Security Program. The audit found that the Board’s information security program continues to operate at a level-4 (managed and...more
These days, cyber regulators are in a hurry. Commentators have observed, the “federal government is quietly directing a seismic shift in the economy” with new mandates. Ann Neuberger, Deputy National Security Advisor for...more
On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (“CISA”) released proposed regulations requiring expansive new cybersecurity incident and ransomware payment reporting across sixteen “critical...more
The National Institute of Standards and Technology released an updated version of its Cybersecurity Framework, CSF 2.0. earlier this week. The CSF, initially launched in 2014, is a tool developed by NIST to help private...more
The Project Management Office (PMO) for the Federal Risk and Authorization Management Program (FedRAMP) has issued an updated version of FedRAMP's 3PAO Obligations and Performance Standards (3PAO Standards), which sets forth...more
The average cost of a data breach is on the rise. According to the 2022 ForgeRock Consumer Identity Breach Report, the average cost in 2021 of recovering from a data breach in the U.S. is $9.5 million — an increase of 16%...more
President Joe Biden recently signed into law the Cyber Incident Reporting For Critical Infrastructure Act of 2022. This new law updates the Federal Information Security Modernization Act (FISMA)...more
In July, Connecticut passed a largely unnoticed new law that followed in the footsteps of Ohio and Utah in limiting damages or creating affirmative defenses for business that experience a data breach after implementing a...more
In Connecticut, if you adopt and maintain and comply with written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that...more
Connecticut’s new cybersecurity standards law, which goes into effect on October 1, 2021, protects companies from punitive damages in certain data breach actions where an organization has a cybersecurity program that conforms...more
Although the Connecticut legislature was not successful in passing a privacy law similar to those passed in California, Colorado and Virginia, on June 24, 2021, the “Act Incentivizing The Adoption Of Cybersecurity Standards...more
The U.S. Department of Homeland Security (DHS) has been central in federal cybersecurity policy for years, as an important non-regulatory body that convenes the private sector, works across agencies, and protects information...more
ICYMI, on Wednesday, January 6, 2021, the United States Department of Justice (DOJ) issued an update about what it termed “a major incident under the Federal Information Security Modernization Act”: the global SolarWinds...more
Tech companies considering government business must anticipate risks, including from competitors. A forward-looking initiative from the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of...more
The Coronavirus Aid, Relief and Economic Security (“CARES”) Act has created a flurry of far reaching considerations for affected businesses, ranging from tax, employment, and even telehealth. Beyond these issues, businesses...more
Amid increased public and government attention to cyber security, a qui tam plaintiff’s lawsuit has resulted a large settlement for a government contractors’ purported misrepresentations regarding compliance with government...more
Tacking an entirely new direction from other US states, Ohio has decided to offer defensive legal protection to businesses who have built a cybersecurity regime around well-known industry standards, even where those...more
In mid-January, the General Services Administration (GSA) released their Semiannual Regulation Agenda. Within this agenda, GSA announced plans to update requirements in the General Services Administration Acquisition...more
Legislation was recently introduced in Ohio encouraging businesses to take steps in protecting consumer data. Ohio Senate Bill 220, The Data Protection Act (the “Act”), provides businesses that take certain commercially...more
On June 1, 2017, the United States District Court for the District of Columbia issued a decision in a class action lawsuit, McDowell v. CGI Federal Inc., Civ. Action No. 15-1157 (GK) (D.D.C. 2017), which could have...more
With the growing threat of cyberattacks, we thought it would be worthwhile to discuss a late 2016 change in reporting requirements for federal agencies that have suffered a data breach. The Office of Management and Budget’s...more
While all companies should be concerned with their cybersecurity posture, companies in the aerospace, defense, and government services (ADG) industry are potentially subject to greater risks due to the industry's highly...more
On March 10, 2017, the Office of Management and Budget (“OMB”) released its annual report to Congress under the Federal Information Security Modernization Act of 2014. The report compiles fiscal year 2016 information from...more
In this edition of our Privacy & Cybersecurity Update, we discuss the Congressional vote to repeal the FCC Privacy Rule, new cybersecurity developments from the Trump administration and the FTC's new guidance to companies on...more