In addition to holiday celebrations, the month of December typically ushers in a final round of enforcement actions by the U.S. Department of Health and Human Services' (HHS) Office of Civil Rights (OCR), and 2024 is no...more
President Ronald Reagan famously quipped, "I think you all know that I've always felt that the nine most terrifying words in the English language are: I'm from the Government, and I'm here to help."1 At an Oct. 23-24, 2024,...more
On August 22, 2024, the United States intervened in a whistleblower suit against the Georgia Institute of Technology, initially filed by current and former members of Georgia Tech’s cybersecurity team, alleging that Georgia...more
An unprecedented cyber qui tam action involving Georgia Tech’s alleged failure to comply with certain cybersecurity controls underscores the importance of having advanced cyber requirements for federal contractors. Our...more
Late last week, the U.S. Department of Justice (DOJ) filed its complaint-in-intervention in a qui tam lawsuit against the Georgia Institute of Technology (Georgia Tech), alleging that the university failed to meet certain...more
More than two months after the February 2024 Change Healthcare cyber-ransom attack, the healthcare industry continues to grapple with the fallout, creating significant challenges, disruptions, and outages to the healthcare...more
The Federal Acquisition Regulatory (FAR) Council on Oct. 3, 2023, issued two proposed rules to partially implement President Biden's Executive Order on Improving the Nation's Cybersecurity. The first proposed rule imposes...more
The New York State Department of Financial Services (NYDFS) recently published a revised proposed second amendment to its cybersecurity regulation, 23 NYCRR 500. ...more
[author: Matt Kelly] In September 2020 the National Institute of Standards and Technology (NIST) unveiled the fifth version of its cybersecurity standard formally known as SP 800-53, “Security and Privacy Controls for...more
NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control...more
As employers respond to the ongoing COVID-19 coronavirus pandemic, many are implementing work-from-home policies and establishing situational teleworking opportunities for their employees. While remote-work technology can...more
On March 21, 2020, companies will need to comply with yet another data privacy and security law when the New York Stop Hacks and Improve Electronic Data Security Act ("NY SHIELD Act") takes effect. The SHIELD Act is unique in...more
Earlier this month, it was reported that the National Security Agency (NSA) discovered a serious security flaw in Microsoft Windows 10 cryptographic functionality, CVE-2020-0601.That security flaw could render trust...more
On January 16, the Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Privacy Through Enterprise Risk Management. The product of a two-year...more
On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California...more
January 14, 2020, the Board of Regents formally adopted Part 121 to the Commissioner’s Regulations to implement Education Law § 2-d. The regulation will become effective January 29, 2020. This regulation primarily addresses...more
As of January 1, 2020, California became the first state to permit residents whose personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual...more
Addressing cybersecurity risks invariably involves very technical matters. As a result, in many companies the IT department has been responsible for developing and implementing cybersecurity plans and procedures....more
A large portion of the data breaches that occur each year involve human resource related issues. This includes situations in which HR data was lost, employees were inadvertently responsible for the loss of information about...more
Many employers historically were only concerned with privacy and security for health plans under the Health Insurance Portability and Accountability Act (HIPAA)1 and state laws; however, there are other references to...more
‘Tis the season for listening. Joining a previous Presidential Commission invitation, the Federal Trade Commission (the FTC) is now seeking comments on the GLB Safeguards Rule. The GLB Safeguards Rule, which took effect in...more
Recently, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, agreed to settle charges that it failed to establish the required cybersecurity policies and procedures before a...more
If you read one thing... - On September 15th, the SEC OCIE announced in a Risk Alert it will launch a second round of cybersecurity examinations of registered broker-dealers and investment advisers, which will be more...more
On August 24, 2015, the Third Circuit affirmed the United States District Court for the District of New Jersey’s denial of a motion to dismiss in FTC v. Wyndham Worldwide Corp. In Wyndham, the Federal Trade Commission...more