New, first-of-their-kind consumer health data privacy laws in Washington and Nevada are designed to provide state-level protections for personal health data not covered by the Health Insurance Portability and Accountability...more
The National Institute of Standards and Technology ("NIST") released a significant update to its framework, expanding its scope and reach to cover a broader audience and evolving cybersecurity risks and management issues....more
New York is the first state to propose cybersecurity requirements for all hospitals operating in the state to address patient safety and other cybersecurity related issues....more
12/1/2023
/ Chief Information Security Officer (CISO) ,
Cyber Threats ,
Cybersecurity ,
Data Protection ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Facilities ,
Hospitals ,
New York ,
NYDFS ,
Patient Privacy Rights ,
Popular ,
Proposed Regulation ,
Regulatory Agenda ,
Regulatory Reform
A major amendment to the New York State Department of Financial Services' cybersecurity regulations establishes affirmative cybersecurity oversight duties and requires companies to report extortion payments to the agency....more
11/16/2023
/ Chief Information Security Officer (CISO) ,
Cybersecurity ,
Cybersecurity Framework ,
Data Protection ,
Extortion ,
Financial Institutions ,
Financial Services Industry ,
Information Technology ,
NYDFS ,
Popular ,
Risk Assessment ,
Third-Party Service Provider
On Friday, October 27, the Federal Trade Commission ("FTC") announced new amendments to the Safeguards Rule, requiring covered financial institutions to report certain data breaches to the FTC and reflecting its continuing...more
11/13/2023
/ Cybersecurity ,
Data Protection ,
Data Security ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
Financial Regulatory Reform ,
Financial Services Industry ,
FTC Act ,
Gramm-Leach-Blilely Act ,
New Amendments ,
Non-Bank Lenders ,
Personal Information ,
Popular ,
Privacy Rule ,
Risk Assessment ,
Risk Management ,
Safeguards Rule ,
Section 5
On July 18, 2023, Oregon Governor Tina Kotek signed Senate Bill 619, referred to as the "Oregon Consumer Privacy Act" ("OCPA" or "the Act"), making Oregon the 11th state to enact a comprehensive data privacy law....more
If adopted, these proposed rules would (i) enhance protection of customer information under Regulation S-P, (ii) add new requirements addressing cybersecurity risk to the U.S. securities markets, and (iii) expand the types of...more
Asserting that the company misstated the scope of data stolen in the cyberattack, the SEC provides a clear reminder that cybersecurity disclosures remain an agency priority....more
France's Orientation and Programming Law of the Ministry of the Interior ("LOMPI law"), published in the Official Journal of January 25, 2023, amends the insurance coverage of losses and damages paid in response to...more
2/27/2023
/ Cyber Attacks ,
Cyber Crimes ,
Cyber Insurance ,
Cybersecurity ,
Data Breach ,
Data Processors ,
France ,
Information Technology ,
Insurance Code ,
New Guidance ,
Popular ,
Ransomware ,
Regulatory Requirements
In Short:
The Situation: The cyber insurance market is experiencing a major retrenchment, with insurers seeking to limit their exposure in a variety of ways....more
In Short -
The Situation: Following a number of high-profile cyber incidents resulting in significant data breaches, the Australian Government has doubled down on its efforts to strengthen privacy laws and cybersecurity...more
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the "Act"), creating new requirements for organizations operating in critical infrastructure sectors to...more
3/18/2022
/ Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) ,
Cybersecurity ,
Data Breach ,
Data Breach Plans ,
Data Protection ,
Data Security ,
New Legislation ,
Popular ,
Regulatory Reform ,
Reporting Requirements
The Cyberspace Administration of China has issued draft guidance on applying for and conducting security assessments for cross-border data transfers for public comment. On October 29, 2021, the Cyberspace Administration of...more
11/10/2021
/ China ,
Comment Period ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Extraterritoriality Rules ,
International Data Transfers ,
Personal Information ,
Personal Information Protection Law (PIPL) ,
Popular ,
Public Comment ,
Regulatory Reform ,
Regulatory Requirements
Regulations will mandate more robust customer identity verification procedures and special measures to combat malicious cyber activities.
On September 24, 2021, the Department of Commerce ("Commerce") published an Advance...more
The U.S. Department of Justice announces an initiative targeting cybersecurity-related fraud by government contractors and grant recipients.
On October 6, 2021, the U.S. Department of Justice ("DOJ") announced a new Civil...more
The California Attorney General ("AG") has issued guidance reminding health care providers of their duty to report health care data breaches and to comply with other state and federal data privacy laws....more
9/15/2021
/ Cyber Attacks ,
Data Breach ,
Data Protection ,
Electronic Medical Records ,
Health Care Providers ,
HIPAA Breach ,
Information Technology ,
Network Security ,
New Guidance ,
Popular ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management
The PIPL imposes extensive obligations on organizations and individuals engaged in "handling" of personal information, which is defined to include "collection, storage, use, processing, transmission, provision, disclosure,...more
9/10/2021
/ China ,
Consumer Privacy Rights ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
Extraterritoriality Rules ,
Personal Information ,
Personal Information Protection Law (PIPL) ,
Popular ,
Regulatory Reform ,
Regulatory Requirements
When the DSL goes into effect on September 1, 2021, it will impose certain restrictions on a company's ability to transfer data out of China without the prior approval of Chinese authorities. One significant restriction is...more
8/27/2021
/ China ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Protection ,
Data Security ,
Foreign Official ,
International Data Transfers ,
Multinationals ,
Personal Data ,
Personally Identifiable Information ,
Popular
UNITED STATES -
Regulatory—Policy, Best Practices, and Standards -
President Biden Issues Cybersecurity Executive Order -
On May 12, 2021, President Biden issued an executive order that placed new standards on the...more
8/10/2021
/ Article III ,
Biden Administration ,
California Consumer Privacy Act (CCPA) ,
Cybersecurity ,
Cybersecurity Framework ,
Data Breach ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
Executive Orders ,
Facial Recognition Technology ,
Federal Trade Commission (FTC) ,
Hackers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Information Technology ,
Mobile Apps ,
Personal Data ,
Popular ,
Ransomware ,
SCOTUS ,
Standing ,
TransUnion LLC v Ramirez
Connecticut has become the third state to enact a cybersecurity safe harbor statute.
On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of...more
7/12/2021
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Data Protection ,
New Legislation ,
Notice Requirements ,
Popular ,
Regulatory Reform ,
Safe Harbors ,
State and Local Government ,
State Data Breach Notification Statutes
The New York Department of Financial Services ("NYDFS") fined a mortgage bank $1.5 million for violations of New York's Cybersecurity Regulation, including failure to report a past cyber incident.
On March 3, 2021, the...more
The Situation: As we advised in our recent Commentary, federal banking regulators have proposed rules requiring a banking organization to provide its primary federal regulator with prompt notification of any...more
United States -
Regulatory—Policy, Best Practices, and Standard -
NIST Unveils Draft Guidance to Protect Critical Infrastructure -
On October 22, 2020, the National Institute of Standards and Technology ("NIST")...more
1/8/2021
/ CNIL ,
Consumer Privacy Rights ,
Court of Justice of the European Union (CJEU) ,
Cybersecurity ,
Cybersecurity Framework ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Security ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
NIST ,
Personal Data ,
Popular ,
Risk Management
There are showers, there are squalls, and there are storms. The growth in cybersecurity attacks in Australia, as in much of the world, is a storm and Australian companies need to batten down the hatches. In the period from 1...more
12/16/2020
/ ASIC ,
Australia ,
Class Action ,
Cyber Attacks ,
Cyber Insurance ,
Cyber Threats ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Popular ,
Risk Management
The Situation: Less than one year after the California Consumer Privacy Act ("CCPA") became effective, California voters approved the California Privacy Rights Act ("CPRA"), a consumer privacy ballot initiative that amends...more
11/6/2020
/ Advertising ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Opt-Outs ,
Personal Information ,
Popular