SEC Continues Focus on Cybersecurity Disclosure Failures, Announces Settled Charges Against Pearson plc

Through its announcement of settled charges against Pearson plc (Pearson) on August 16, 2021, the U.S. Securities and Exchange Commission signaled its continued, high level scrutiny of companies’ public statements related to data security incidents.1 Without admitting or denying the SEC’s findings, Pearson agreed to a cease and desist order (Order) and to pay a $1 million penalty.2 The SEC’s Pearson Order follows its June 2021 announcement that it had settled charges against First American Title Insurance Company (First American) for cybersecurity disclosure control failures.3 Together, the Pearson and First American actions underscore the SEC’s increasingly vigorous enforcement efforts on disclosure control violations related to cybersecurity issues, in particular vulnerabilities that expose sensitive customer information and data breaches. (more…)

FFIEC Guidance on Authentication and Access to Financial Institution Services and Systems

On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.

(more…)

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty (Order). This resolution highlights the SEC’s continued focus on cybersecurity. The SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021.2

(more…)

Schrems II Fallout Continued: Finalised EDPB Recommendations Released

After months of anticipation, the European Data Protection Board (EDPB) has released its finalised recommendations (Recommendations) on how to carry out the required assessment of international data transfers post-Schrems II. In what is considered to be one of the most important documents for the future of data transfers, this development marks a turning point for international entities.

Continuing its series of webinars on the fallout since Schrems II, Sidley and OneTrust DataGuidance are hosting a panel discussion to provide insight on the EDPB’s Recommendations, how they differ from the draft version, and how entities can approach international data flows. (more…)

Federal Government Interest in Cyber Continues: Congressional Hearings on the Colonial Pipeline Cyberattack

On May 7, 2021, Colonial Pipeline experienced a ransomware cyberattack on its corporate network. This attack, attributed to the DarkSide hacking group, led the company to temporarily halt the operation of its pipeline network—causing fuel shortages throughout the East Coast. Although highly publicized, the Colonial Pipeline cyberattack is not unique. In fact, the event was just one in a growing pattern of ransomware attacks against major U.S. companies and critical infrastructure. In light of these events, the issue of cyberattacks—particularly those involving ransomware—has become a key area of concern for federal lawmakers.

(more…)

The U.S. Innovation and Competition Act: Senate Passes Sweeping $250 Billion Bill to Bolster Scientific Innovation and Compete With China

On Tuesday, June 8, 2021, the U.S. Senate adopted by a 68-32 vote S. 1260, the United States Innovation and Competition Act, a nearly 2,400-page, $250 billion bill designed to boost U.S. semiconductor production, scientific research, development of artificial intelligence, and space exploration in the face of growing economic, technological, and military competition from China.

Senate Majority Leader Charles Schumer, D-N.Y., called the bill a “once-in-a-generation investment in American science and American technology.” The bipartisan bill, sponsored by Sens. Schumer and Todd Young, R-Ind., would invest more than $200 billion into U.S. scientific and technological innovation over the next five years. (more…)

Supreme Court Limits Scope of Computer Fraud and Abuse Act

It is a common story: An employee who knows he is about to leave his employer for a competitor uses his last days of computer access to download (or email himself) confidential information from his employer’s network. Once his employer discovers the misappropriation, the employee has moved on to his next job, leaving the employer scrambling to protect itself, often through a tangle of state-law tort and trade-secret claims.

(more…)

TSA Issues Directive to Enhance Pipeline Cybersecurity

The U.S. Department of Homeland Security’s Transportation Security Administration (“TSA”) issued a Security Directive, “Enhancing Pipeline Cybersecurity” on May 28, laying out new cybersecurity requirements for operators of liquids and natural gas pipelines and LNG facilities designated as critical infrastructure.

(more…)

Cybersecurity Regulations for the Energy Industry

The Colonial Pipeline ransomware attack shone a spotlight on the importance and potential vulnerabilities of U.S. critical energy infrastructure. Join our panel of energy industry and cybersecurity thought leaders for a discussion of the threats targeting the industry today, the state of the law when it comes to safeguarding against cyberattacks, and what to expect from Congress and the Administration as calls for increased regulation intensify.

(more…)

Major Executive Order on Cybersecurity Aims to Fortify Defenses and Coordinate U.S. Response to Growing Epidemic of Cyberattacks

The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.

Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. As the White House press briefer stated, the Order will impose “the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.’”

(more…)