01 Do I need to make money to go public?02 A new M&A playbook in the age of AI03 Cyber enforcement forecast post-SolarWinds decision04 Cyber diligence for IPOs with Kroll’s CISO05 The Download Quiz: Venture capital trends...more
On November 1, the New York Department of Financial Services (NYDFS) amended its cybersecurity regulations to set additional notification, administrative, training and technical requirements. The Amended Cybersecurity...more
The U.S. Securities and Exchange Commission (SEC) has filed a fraud suit against SolarWinds and its chief information security officer (CISO), alleging they made false statements regarding the company’s security practices and...more
The SEC has finalized rules requiring public companies to disclose information about cybersecurity incidents, risk management, strategy and governance. This guide to help public companies comply with SEC rules covers...more
The Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Sharing Cyber Event Information” Fact Sheet on April 7 that may preview its implementation of the new federal government cyber incident reporting...more
The SEC has proposed new disclosure rules for public companies regarding cybersecurity incidents and related policies and procedures. We will discuss in a forthcoming post practical considerations and best practices that...more
As cybersecurity incidents become increasingly complex, your initial response to a potential cybersecurity crisis matters. The decisions that you make in the first 24 to 48 hours of a potential cybersecurity incident can have...more
11/4/2021
/ Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Incident Response Plans ,
Policies and Procedures ,
Popular ,
Risk Management ,
Risk Mitigation
In the wake of a cyber incident, regulators and law enforcement agencies closely scrutinize the cyber security measures in place at the affected organization. ...more
On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here). By 2026, DoD...more
3/6/2020
/ Controlled Unclassified Information (CUI) ,
Cybersecurity ,
Cybersecurity Maturity Model Certification (CMMC) ,
Defense Contracts ,
Defense Sector ,
Department of Defense (DOD) ,
DFARS ,
Federal Contractors ,
National Security ,
Popular ,
Supply Chain
Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders. Citing recent hearings at the FTC, as well...more
At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019....more
5/17/2019
/ California Consumer Privacy Act (CCPA) ,
Cybersecurity ,
Data Breach ,
Data Collection ,
Data Protection ,
Enforcement Actions ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Popular ,
Risk Management
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle...more
3/14/2019
/ Cease and Desist Orders ,
Corporate Counsel ,
Cybersecurity ,
Data Security ,
Enforcement Actions ,
Enforcement Authority ,
Federal Trade Commission (FTC) ,
FTC Act ,
Injunctive Relief ,
LabMD ,
Popular ,
Remediation
Game-changing Calif. Consumer Privacy Act of 2018 puts statutory breach damages on the table -
The recently-enacted California Consumer Privacy Act of 2018 is a game-changer in a number of respects. The Act imports...more
8/24/2018
/ Class Action ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Hackers ,
New Legislation ,
Personal Data ,
Personally Identifiable Information ,
Popular ,
Risk Management ,
State and Local Government ,
State Data Breach Notification Statutes
The recent ransomware attack on the City of Atlanta highlights the fact that the threat of ransomware affects all organizations, regardless of the nature of their industry, business, or operations, and that political...more
4/4/2018
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Denial of Service Attacks ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personally Identifiable Information ,
Phishing Scams ,
Popular ,
Public Entities ,
Public Finance ,
Ransomware ,
Risk Management
A recent skirmish about standing in data breach class actions (this time in the Eighth Circuit), involving securities and brokerage firm Scottrade, suggests that, even if plaintiffs win that limited question, there are other...more
10/31/2017
/ Article III ,
Brokerage Accounts ,
Class Action ,
Corporate Counsel ,
Cyber Attacks ,
Data Breach ,
Hackers ,
Personally Identifiable Information ,
Popular ,
Scottrade ,
Standing
This week, a high profile plaintiffs’ firm (Edelson) stated that “if done right,” the data breach class actions against Equifax should yield more than $1 billion in cash going directly to more than 143 million consumers...more
10/16/2017
/ Corporate Counsel ,
Credit Reporting Agencies ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
Enforcement Actions ,
Equifax ,
Federal Trade Commission (FTC) ,
Financial Services Industry ,
Hackers ,
Identity Theft ,
Personally Identifiable Information ,
Popular ,
Risk Management ,
Settlement ,
Vulnerability Assessments
In the latest sign that data breach class actions are here to stay—and, indeed, growing—the D.C. Circuit resuscitated claims against health insurer CareFirst BlueCross and Blue Shield, following a 2015 breach that compromised...more
9/8/2017
/ Article III ,
Blue Cross ,
Blue Shield ,
CareFirst ,
Class Action ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
GLBA Privacy ,
Hackers ,
Health Insurance ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Identity Theft ,
Injury-in-Fact ,
Personally Identifiable Information ,
Popular ,
Standing
August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations...more
8/31/2017
/ Banking Sector ,
Chief Information Security Officer (CISO) ,
Covered Entities ,
Cybersecurity ,
Cybersecurity Framework ,
Data Protection ,
Financial Institutions ,
Financial Services Industry ,
Information Technology ,
Insurance Industry ,
NYDFS ,
Personally Identifiable Information ,
Popular ,
Risk Management
Shortly after the new year, the Federal Trade Commission filed suit in the Northern District of California against D-Link Corporation, a Taiwan-based maker of wireless routers, Internet Protocol (IP) cameras, and software...more
2/6/2017
/ Corporate Counsel ,
Data Security ,
Federal Trade Commission (FTC) ,
Hackers ,
Popular ,
Security Standards ,
Software ,
Taiwan ,
Technology ,
Technology Sector ,
Vulnerability Assessments ,
Young Lawyers
There is no such thing as compliance with the NIST Cybersecurity Framework (FTC). In September, the FTC dispelled a commonly held misconception regarding the NIST Framework: It “is not, and isn’t intended to be, a standard or...more
1/30/2017
/ Cyber Insurance ,
Cybersecurity ,
Cybersecurity Framework ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Drones ,
Email ,
FBI ,
Federal Aviation Administration (FAA) ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
NIST ,
OCR ,
PHI ,
Phishing Scams ,
Popular ,
Privacy Concerns ,
Ransomware ,
Risk Assessment ,
Risk Management ,
Target ,
Unmanned Aircraft Systems
States were busy updating their data breach notification statutes in 2016. With 2016 in the rear view, let’s take a look back at the legislative changes that will impact corporate incident response processes and what those...more
Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this...more
The Sixth Circuit joined the growing trend of appellate courts holding that plaintiffs had demonstrated standing for data breach class actions in Galaria et al. v. Nationwide Mutual Insurance Company. In a recent order, the...more
10/5/2016
/ Article III ,
Class Action ,
Corporate Counsel ,
Data Breach ,
Insurance Industry ,
Nationwide Insurance Co. ,
Neiman Marcus ,
Personally Identifiable Information ,
PF Chang's ,
Popular ,
Standing
On September 12, 2016, the Data Protection Authority of the German Federal State of North Rhine-Westphalia (“DPA NRW”) became one of the first EU data protection authorities to issue guidance on the implementation of the...more
Just as it promised a year ago, New York State proposed new proscriptive, minimum cybersecurity requirements for regulated financial services institutions. The regulations go final after a 45-day notice and public comment...more