On May 7, 2022, private employers—regardless of annual revenue or headcount—with a place of business in New York will have to provide all newly hired employees with written notice of the employer’s electronic device...more
Key Points -
Fourth Circuit points to SEC guidance on “less is more” approach to cybersecurity disclosures, while finding such disclosures did not violate federal securities laws.
Omissions of data vulnerabilities were...more
On March 10, 2022, the U.S. Department of Transportation’s (DOT) National Highway Traffic and Safety Administration (NHTSA) issued a first-of-its-kind final rule updating occupant safety requirements to account for vehicles...more
With the recent signing of the Utah Consumer Privacy Act (UCPA) by Gov. Spencer J. Cox on March 24, 2022, Utah has become the fourth state to enact a comprehensive law addressing consumer data privacy, joining California,...more
Colorado requires businesses to take reasonable steps to protect consumer data under both the Colorado Consumer Protection Act and its landmark new data privacy law, the Colorado Privacy Act (CPA). The CPA comes into force on...more
Last week the Biden administration and the European Commission jointly announced a new trans-Atlantic data flow agreement. While no specifics have yet been made public, a recent press release gives the high-level facts of...more
Under legislation signed into law today by President Joe Biden, certain companies will be required to report cyberattacks to the federal government within 72 hours, and ransomware payments within 24 hours.
Within 24...more
Key Points -
Proposed amendments bolster cyber disclosure and incident reporting requirements to better inform investors about a company’s risk management, strategy and governance relative to cyber issues.
Under the...more
On February 17, 2022, the California Privacy Protection Agency (CPPA) Board held its first Board meeting of 2022. Notably, CPPA Executive Director Ashkan Soltani delivered an update on the CPPA’s rulemaking activities and...more
Key Points -
Proposed amendments bolster cyber disclosure and incident reporting requirements to better inform investors about a company’s risk management, strategy and governance relative to cyber issues. ...more
The banking regulators of the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency jointly announced a new rule requiring banking organizations in the United States to...more
2/17/2022
/ Banking Sector ,
Banks ,
FDIC ,
Federal Reserve ,
Final Rules ,
Financial Institutions ,
Financial Services Industry ,
New Rules ,
Notification Requirements ,
OCC ,
Reporting Requirements
The Federal Trade Commission (FTC) issued a surprisingly strong warning to companies that they may face potential regulatory action if they fail to address known vulnerabilities, focusing in particular on the Log4j...more
On January 28, 2022, the California Attorney General (AG) announced an “investigative sweep” of businesses operating loyalty programs in the state, which it launched by sending multiple businesses notice of noncompliance with...more
The ground-breaking draft European Union Act on Artificial Intelligence (AI), which has far-reaching implications beyond Europe, is currently going through the legislative procedure of the European Parliament and Council. The...more
Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), signaled a new era of cybersecurity law (and accompanying enforcement) in his keynote address “Cybersecurity and Securities Laws” on January 24, 2022,...more
Employers in New York City using artificial intelligence (AI), data analytics or statistical modeling in the hiring or promotion process will need to notify candidates in advance and conduct an annual “bias audit.” ...more
Public comments to recently published regulations governing compliance with the California Privacy Rights Act (CPRA) show that stakeholders sharply disagree on multiple areas of the CPRA. Seventy submissions totaling nearly...more
This December, the Transportation Security Administration (TSA) issued a pair of Directives establishing cybersecurity measures for high-risk freight rail, passenger rail, and rail transit owners and operators. These...more
1/7/2022
/ Aviation Industry ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Department of Homeland Security (DHS) ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Incident Response Plans ,
Public Transportation ,
Railways ,
Surface Transportation ,
Transportation Industry ,
TSA ,
Vulnerability Assessments
On September 21, 2021, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an updated sanctions advisory, providing guidance to companies on sanctions compliance obligations related to ransomware...more
12/14/2021
/ Compliance ,
Cryptocurrency ,
Cyber Attacks ,
Cybersecurity ,
Data Security ,
New Guidance ,
Office of Foreign Assets Control (OFAC) ,
Ransomware ,
Sanctions ,
U.S. Treasury ,
Virtual Currency
The National Institute of Standards and Technology (NIST) issued a request for public comment to help guide the development of the current and future state of technology in eight emerging technology areas. Those areas include...more
12/3/2021
/ America Competes Act ,
Comment Period ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Internet of Things ,
NIST ,
Public Comment ,
Request For Information ,
Software Developers
Key Points -
On November 26, 2021, the U.S. Department of Commerce issued a notice of proposed rulemaking related to “connected software applications” (“apps”) that aims to expressly incorporate transactions involving...more
On October 28, 2021, the U.S. Equal Employment Opportunity Commission (EEOC) unveiled an initiative focused on fairness in the use of artificial intelligence (AI) and algorithmic tools, showing that federal regulators...more
On November 17, 2021, the U.S. Department of Defense (DOD) published an Advanced Notice of Proposed Rulemaking (ANPRM) previewing significant changes to its Cybersecurity Maturity Model Certification (CMMC) program.1 The...more
On 10 November 2021, the Supreme Court dismissed the United Kingdom’s first ever “opt-out” class action brought outside of the competition law sector, in Lloyd v Google LLC. The claim, seeking an award of damages of around £3...more
[co-author: Christina Barone]
The Infrastructure Investment and Jobs Act (the “bill”) is historic bipartisan legislation that will make available $1.2 trillion in funding for infrastructure programs across the...more