This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.

What Happened

On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.

Continue Reading SEC Publishes Public Company Cybersecurity Disclosure Final Rule

By this point, most people in the employee benefits space have heard about the MOVEit and Retirement Clearing House (RCH) cyber incidents, which could directly impact employers’ benefit plans. The MOVEit file transfer application is used by a number of vendors, including those that locate missing plan participants or find information regarding deceased plan participants (e.g., PBI Research Services).  RCH is often used by retirement plans to facilitate benefit transfers, including for IRA rollovers. Other plan vendors/subcontractors  may also use the MOVEit software application or subcontract with RCH for their plan services.  Actual and potential victims have included state and federal government agencies as well as companies across a variety of industries (and their benefit plans) who were using MOVEit or RCH, or who engaged with service providers who used these tools.

Continue Reading Multiple Cyber Incidents Impact Employee Benefit Plans and Participants

test

You may have recently seen press reports about lawyers who filed and submitted papers to the federal district court for the Southern District of New York that included citations to cases and decisions that, as it turned out, were wholly made up; they did not exist.  The lawyers in that case used the generative artificial intelligence (AI) program ChatGPT to perform their legal research for the court submission, but did not realize that ChatGPT had fabricated the citations and decisions.  This case should serve as a cautionary tale for individuals seeking to use AI in connection with legal research, legal questions, or other legal issues, even outside of the litigation context.

In Mata v. Avianca, Inc.,[1] the plaintiff brought tort claims against an airline for injuries allegedly sustained when one of its employees hit him with a metal serving cart.  The airline filed a motion to dismiss the case. The plaintiff’s lawyer filed an opposition to that motion that included citations to several purported court decisions in its argument. On reply, the airline asserted that a number of the court decisions cited by the plaintiff’s attorney could not be found, and appeared not to exist, while two others were cited incorrectly and, more importantly, did not say what plaintiff’s counsel claimed. The Court directed plaintiff’s counsel to submit an affidavit attaching the problematic decisions identified by the airline.

Continue Reading Use of ChatGPT in Federal Litigation Holds Lessons for Lawyers and Non-Lawyers Everywhere

The My Health My Data Act (“Act”) was approved by the Washington State House on April 17, 2023. The Act is now with Governor Jay Inslee for signature and is expected to be signed into law in its current form, which is broad enough to warrant anyone with any activity in Washington to consider its scope and implications for operations. Because the Act will be enforceable through a private right of action, it has the potential to create substantial legal exposure for violations.

The Act creates new and unique consumer rights and obligations for business relating to the collection, sharing, and use of “Consumer Health Data” (“CHD”). It expressly aims to “close the gap between consumer knowledge and industry practice” by expanding obligations related to processing of CHD to entities not covered by HIPAA. However, it is significantly broader in potential scope, including, in part, due to the gaping definition of CHD (which expressly includes data that identifies past, present, or future physical or mental health status, for example, “bodily functions” and “precise location information that could reasonably indicate an attempt to receive health services or supplies”). The Act will impact a range of business, including advertisers, mobile app providers like health and wellness trackers, wearable device manufacturers and, of course, healthcare and wellness industry companies and their data processors handling non-HIPAA-regulated CHD. Notably, the Act expressly addresses abortion/reproductive health services and gender-affirming care services (including by making it unlawful for any person to use a “geofence” (or virtual boundary) around a facility that provides health care services) for the purposes of identifying or tracking consumers seeking such services; collecting CHD from consumers; or sending them notifications, messages, or advertisements related to their CHD or health care services. This restriction applies regardless of consent or opt-in.

Continue Reading Washington’s “My Health My Data” Act

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

  • Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
  • New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
  • Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]


Continue Reading SEC Proposes Sweeping New Cybersecurity Rules: Is Your Company Prepared?

In a January 11, 2023 op-ed published in the Wall Street Journal, President Joe Biden urged “Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable.”  He warned that the “risks Big Tech poses for ordinary Americans are clear. Big Tech companies collect huge amounts of data” about

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.

Continue Reading The EU Digital Services Act: Overview and Impact

Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against U.S. companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?

Privacy

The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.

Continue Reading Ransomware Attacks – Harmless Annoyances or Catastrophic Events?

Earlier this month, the New York Attorney General’s Office issued findings of its investigation into a data security incident involving EyeMed Vision Care LLC (“EyeMed”) as well as the agreement that it entered into with the company in exchange for not pursuing further statutory charges.[1] The settlement included a fine of $600,000, a marked

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut