Cybersecurity

Subscribe to Cybersecurity via RSS

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

  • Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
  • New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
  • Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]

Continue Reading SEC Proposes Sweeping New Cybersecurity Rules: Is Your Company Prepared?

Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.

Uncertainty of Reviewing Process and End of Grace Period

As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.Continue Reading China Unveils Two Approved Outbound Data Transfer Cases

arthur-mazi-a8CxRWIu8yw-unsplash (1)

The recent Cothron v. White Castle Illinois Supreme Court decision ruled that BIPA violations accrue with each collection, leading to skyrocketing claims – and damages. It’s critical for employers to understand what this decision means, how this decision affects them, and how to avoid the risks inherent in employee data collection.  

Our March 21, 2023

michal-jakubowski-oQD9uq4Rd4I-unsplash

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons.

On February 7, 2023, we led a webinar looking at some of the

ian-noble-fNUQTZgFpUQ-unsplash

In a January 11, 2023 op-ed published in the Wall Street Journal, President Joe Biden urged “Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable.”  He warned that the “risks Big Tech poses for ordinary Americans are clear. Big Tech companies collect huge amounts of data” about

guillaume-perigois-0NRkVddA2fw-unsplash

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.Continue Reading The EU Digital Services Act: Overview and Impact

emile-perron-xrVDYZRGdw4-unsplash (1)

Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against U.S. companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?

Privacy

The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.Continue Reading Ransomware Attacks – Harmless Annoyances or Catastrophic Events?

markus-spiske-gcgves5H_Ac-unsplash

Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC ChairpersonContinue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies

towfiqu-barbhuiya-FnA5pAzqhMM-unsplash

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within

why-kei-8e2gal_GIE8-unsplash

On February 2, 2022, U.S. Rep. Bobby L. Rush introduced the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act, H.R. 6570 (the “Act”), legislation that would require OEMs to make vehicle-generated data more available to vehicle owners. The Act also would pave the way for the Federal Trade Commission (FTC) and National Highway