The U.S. Department of Health and Human Services ("HHS") issued a concept paper describing its overarching strategy to address healthcare cybersecurity. The concept paper builds on the Biden-Harris Administration's National...more
12/18/2023
/ Cybersecurity ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HITECH Act ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Medicare ,
OCR ,
Popular
As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Rule")....more
12/15/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Department of Justice (DOJ) ,
Disclosure Requirements ,
FBI ,
Form 8-K ,
Infrastructure ,
New Guidance ,
Popular ,
Publicly-Traded Companies ,
Remediation ,
Securities and Exchange Commission (SEC)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (UK NCSC), along with partner agencies from 17 nations, have released Guidelines for Secure AI System Development (the...more
12/5/2023
/ Artificial Intelligence ,
Asset Protection ,
Biden Administration ,
Critical Infrastructure Sectors ,
Cyber Threats ,
Cybersecurity ,
Documentation ,
Executive Orders ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Infrastructure ,
Machine Learning ,
NCSC ,
NIST ,
Popular ,
Risk Management ,
Supply Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form ("Form"). The Form, once finalized, will obligate vendors providing software...more
12/1/2023
/ Automation Systems ,
Cybersecurity ,
Department of Justice (DOJ) ,
Executive Orders ,
False Claims Act (FCA) ,
Federal Acquisition Regulations (FAR) ,
General Services Administration (GSA) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
NIST ,
Noncompliance ,
OMB ,
Risk Assessment ,
Software Developers ,
Supply Chain
The AI executive order moves the U.S. closer to a broader unified approach on federal AI regulation, expanding on the AI Bill of Rights and NIST AI Risk Management Framework and focusing on the responsible development and...more
11/8/2023
/ Anti-Discrimination Policies ,
Artificial Intelligence ,
Biden Administration ,
Consumer Financial Protection Bureau (CFPB) ,
Cybersecurity ,
Defense Production Act ,
Department of Energy (DOE) ,
Department of Homeland Security (DHS) ,
ECOA ,
Executive Orders ,
Fair Credit Reporting Act (FCRA) ,
Fair Housing Act (FHA) ,
HUD ,
Infrastructure ,
National Security ,
NIST ,
OMB ,
Patent Trial and Appeal Board ,
Popular ,
Privacy Laws ,
Public Health ,
Risk Management ,
Security Standards ,
Technology Sector ,
U.S. Commerce Department
The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," to require non-bank financial institutions to report certain data...more
Legislation requires data brokers to register with the California Privacy Protection Agency and comply with a one-stop consumer deletion mechanism by 2026 -
The wave of data privacy legislation in California continues as...more
10/4/2023
/ Audits ,
California ,
California Privacy Protection Agency (CPPA) ,
Data Brokers ,
Data Deletion ,
Data Privacy ,
Data Protection ,
Data Security ,
Disclosure Requirements ,
Legislative Agendas ,
New Legislation ,
Personal Data ,
Regulatory Oversight ,
Reporting Requirements ,
State Legislatures
The Delaware Personal Data Privacy Act (DPDPA or Act) became law on September 11, 2023, making Delaware the 13th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut,...more
9/14/2023
/ Advertising to Minors ,
B2B Organizations ,
Commodity Exchange Act (CEA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Data Privacy ,
Data Processors ,
Data Protection ,
Delaware ,
Enforcement ,
Fair Credit Reporting Act (FCRA) ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Nonprofits ,
Opt-Outs ,
Personal Data ,
Privacy Notice Rule ,
Private Right of Action ,
Securities Exchange Act of 1934 ,
State Privacy Laws
The Office of the National Cyber Director (ONCD) has extended the deadline to respond to its Request for Information (RFI) seeking public comment on "opportunities for and obstacles to harmonizing" cybersecurity regulations....more
9/14/2023
/ Cybersecurity ,
Deadlines ,
Department of Homeland Security (DHS) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Infrastructure ,
Interagency Guidance ,
NDAA ,
NIST ,
OMB ,
Popular ,
Proposed Regulation ,
Request For Information ,
Risk Mitigation
The Federal Communications Commission (FCC) has published its notice of proposed rulemaking (the NPRM) detailing the proposed creation of a voluntary cybersecurity labeling program for Internet of Things (IoT) or "smart"...more
On June 12, 2023, the California Assembly's Judiciary Committee replaced the full contents of AB 1757 (a bill originally addressing court consolidation) with new legislative language featuring heightened standards for...more
8/23/2023
/ Americans with Disabilities Act (ADA) ,
Business Ownership ,
California ,
Compliance ,
Department of Justice (DOJ) ,
FCC ,
Liability ,
Mobile Apps ,
New Amendments ,
New Guidance ,
Notice of Proposed Rulemaking (NOPR) ,
Penalties ,
Proposed Legislation ,
Public Accommodation ,
Rehabilitation Act ,
Unruh Civil Rights Act ,
Web Content Accessibility Guidelines (WCAG) ,
Website Accessibility
On July 26, 2023, the U.S. Securities and Exchange Commission (SEC or Commission) finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the "Final Rule") by a...more
The Cybersecurity Administration of China ("CAC") and six other agencies jointly promulgated Interim Measures for the Administration of Generative Artificial Intelligence Services ("Generative AI Measures" or "Rules"), that...more
7/31/2023
/ Algorithms ,
Artificial Intelligence ,
China ,
Compliance ,
Consent ,
Corporate Counsel ,
Cybersecurity ,
Digital Service Providers ,
Intellectual Property Protection ,
Interim Rule ,
Labeling ,
Licensing Rights ,
Machine Learning ,
Personal Information ,
Research and Development ,
Technology Sector ,
Training
Oregon becomes the 12th state with a comprehensive consumer data privacy law -
The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy...more
7/20/2023
/ Consumers ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Protection Acts ,
Data Security ,
Legislative Agendas ,
New Legislation ,
New Regulations ,
Oregon ,
Personal Data ,
Privacy Laws ,
State and Local Government ,
State Privacy Laws
Swiftly on the heels of the U.S. announcing it fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (the Framework), the European Commission (the EC) formally recognized that commercial organizations...more
7/14/2023
/ Court of Justice of the European Union (CJEU) ,
Data Security ,
Department of Justice (DOJ) ,
Department of Transportation (DOT) ,
Enforcement ,
EU Data Protection Laws ,
European Commission ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Liability ,
Notice Requirements ,
ODNI ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
US-EU Safe Harbor Framework
The U.S. Secretary of Commerce, Gina Raimondo, issued a statement on July 3, 2023, announcing completion of commitments by the U.S. for implementing the Trans-Atlantic Data Privacy Framework (the "Framework"). The Framework...more
7/10/2023
/ Data Collection ,
EU-US Privacy Shield ,
European Commission ,
European Court of Justice (ECJ) ,
International Data Transfers ,
ODNI ,
Personal Data ,
Policies and Procedures ,
Privacy Framework ,
Safeguards Rule ,
Secretary of Commerce ,
Standard Contractual Clauses
The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023. Texas becomes the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa,...more
7/7/2023
/ Biometric Information ,
Compliance ,
Consent ,
Data Privacy ,
Data Protection ,
Data Security ,
Fair Credit Reporting Act (FCRA) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Non-Discrimination Rules ,
Notice Requirements ,
Opt-Outs ,
Popular ,
Private Right of Action ,
Reporting Requirements ,
SBA ,
Sensitive Personal Information ,
Small Business ,
State Privacy Laws ,
Texas
The Connecticut legislature passed and the governor recently signed amendments to the Connecticut Data Privacy Act (CTDPA), the state's comprehensive consumer data privacy law, which goes into effect July 1, 2023. Some...more
7/3/2023
/ Confidential Information ,
Connecticut ,
Data Privacy ,
Email ,
Enforcement Actions ,
Minors ,
New Amendments ,
Personal Data ,
PHI ,
Sensitive Personal Information ,
Social Media
The final regulations implementing the California Privacy Rights Act of 2020 (CPRA) were set to go into effect on July 1, 2023. However, the Sacramento County Superior Court issued a ruling enjoining the California Privacy...more
According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The...more
6/28/2023
/ Broker-Dealer ,
Business Development Companies ,
Corporate Governance ,
Corporate Strategy ,
Cyber Incident Reporting ,
Cybersecurity ,
Investment Adviser ,
Proposed Rules ,
Publicly-Traded Companies ,
Registered Investment Advisors ,
Regulatory Agenda ,
Risk Management ,
Rulemaking Process ,
Securities and Exchange Commission (SEC)
Texas amended its data breach notification law to significantly tighten the deadline for notifying the state attorney general (AG) of a data breach affecting 250 or more state residents. Senate Bill 768, which amended Section...more
The Florida Digital Bill of Rights (FDBR) was signed into law by Governor Ron DeSantis on June 6, 2023, making Florida the tenth state to enact a consumer data privacy law along with California, Virginia, Colorado,...more
6/9/2023
/ Biometric Information ,
Consent ,
Consumer Privacy Rights ,
COPPA ,
Data Collection ,
Data Protection ,
Data Retention ,
Data Selling ,
Disclosure Requirements ,
Enforcement ,
Facial Recognition Technology ,
Florida ,
New Legislation ,
Notice Requirements ,
Opt-Outs ,
Personal Information ,
Privacy Laws ,
Rulemaking Process ,
Sensitive Personal Information ,
Social Media
Montana is the ninth state to enact a comprehensive consumer data privacy law -
Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MTCDPA) on May 19, 2023, after unanimous passage through the...more
A reminder to non-bank financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with the Federal Trade Commission's (FTC) revised Standards for Safeguarding Customer Information, commonly...more
5/19/2023
/ Compliance ,
Cybersecurity ,
Deadlines ,
Department of Education ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
FTC Act ,
GLBA Privacy ,
Investment Adviser ,
Multi-Factor Authentication ,
New Rules ,
Popular ,
Risk Assessment ,
Safeguards Rule ,
Third-Party Risk
Italy's Data Protection Agency (DPA) lifted a temporary ban on ChatGPT's operations in Italy after OpenAI, the purveyor of the generative AI system, agreed to implement a series of changes to its online notices and privacy...more