On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1 Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to … Read More
On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. … Read More
This article was first published by Law360 on May 17, 2021.
In light of new standard contractual clauses, or SCCs, to be issued shortly by the European Commission, as well as imminent new guidance from the European Data Protection Board, companies transferring personal data to the U.S. should consider taking … Read More
The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.
Pursuant to the Order, government agencies will … Read More
For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).… Read More
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office … Read More
The thesis articulated in the article linked here is that (1) nearly all companies relying on standard contractual clauses for data transfers to the US under the EU General Data Protection Regulation are not electronic communications service providers for purposes of FISA 702 (i.e., only companies in the business of … Read More
On December 10, 2020, the California Attorney General (“AG”) proposed additional edits to the CCPA Regulations. These changes both build upon the updates that were proposed on October 12, 2020, and add some new content. All of the newly proposed changes relate to the right to opt-out of the sale … Read More
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a … Read More