Photo of Kari Rollins

Kari Rollins

Subscribe to Kari Rollins's Posts

Kari M. Rollins is a partner in the Intellectual Property Practice Group and Office Managing Partner of the New York office.

Contact:Read more about Kari Rollins

The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.Continue Reading SEC Gives Finality on Cybersecurity Disclosures for Public Companies

New York’s Local Law 144 of 2021 will finally go into effect on July 5, 2023, after several delays. As we previously discussed, the law requires employers to provide candidates for employment and promotion with notice about the use of an AI system, offer them an opt out, and audit any such systems for bias. The law is intended to benefit job applicants and may provide useful guidance for employers who wish to use AI to help eliminate workplace bias.Continue Reading NY AI Laws Going Live Next Month

The US Department of Health and Human Services recently updated its guide to help the private and public healthcare sectors develop cybersecurity protocols that address NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The guide is a toolkit, with information and resources intended to help companies implement cybersecurity programs in the health care space. While the aim of this guidance is to help companies implement NIST’s protocols for protecting US critical infrastructure, the recommendations contained in the guide mirror other agencies’ security recommendations (for example those we have written about from the Department of Labor and the FDA).Continue Reading HHS Releases Cybersecurity Guide

The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.Continue Reading Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities

An Illinois state appellate court’s recent ruling will impact how companies consider compliance with Illinois’ Biometric Information Privacy Act (BIPA). That court ruled companies must have a BIPA-compliant written retention-and-destruction policy in place before collecting and possessing biometric data. The decision makes clear that mere possession of biometric data triggers the duty to develop the necessary written BIPA policy. In relevant part, under BIPA’s section 15(a), companies must establish a written, publicly-available policy that governs their retention and destruction of biometric data.Continue Reading Illinois Appellate Court Weighs in on Biometric Data Policies

New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response

The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations

Beginning January 1, 2023, New York City will restrict employers from using artificial intelligence to make employment decisions unless they follow certain guidelines. The local law applies to employment decisions made “within the city” regarding job applicants and promotion decisions.Continue Reading New York City Set To Regulate Employment Decisions Made By AI

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.Continue Reading Wegmans Settles With NYAG for $400,000 Over Data Incident

In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”Continue Reading UK ICO and NCSC Issue Caution About Making Ransomware Payments