Cybersecurity

Subscribe to Cybersecurity via RSS

Will a final rule issued by the Department of Defense on September 10, 2025 (available here) cause companies to rethink their compliance approach? The rule –relating to the Cybersecurity Maturity Model Certification program or CMMC – will impact how defense contractors engage with the Department of Defense. (We wrote previously (here) about the separate, but related, CMMC rule that addressed substantive CMMC program requirements.)Continue Reading Leveling Up: Will CMMC Contract Obligations Impact Your Organization?

We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!- data incident preparedness. Is your organization able to take advantage of one of the growing number of states’ safe harbor provisions? In particular, Connecticut, Iowa, Ohio, Oklahoma (beginning January 1, 2026), Oregon, – as of September 2025 Texas (for entities with less than 250 employees) – and Utah provide certain affirmative defenses against claims resulting from data breaches. The safe harbor is available if the company has a “qualified” cybersecurity program. What that means varies by state. Continue Reading Incident Response Defenses: Can You Take Advantage of a Cyber Program Safe Harbor?

Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.Continue Reading Insurance Cybersecurity Certifications: An (Updated) State Roundup

On February 20, the SEC announced the creation of its Cyber and Emerging Technologies Unit (CETU) to address misconduct involving new technologies and strengthen protections for retail investors. The CETU replaces the SEC’s former Crypto Assets and Cyber Unit and will be led by SEC enforcement veteran Laura D’Allaird.Continue Reading SEC Creates New Tech-Focused Enforcement Team

In the fourth in our series of new CCPA regulations from California, we look at both cybersecurity audit obligations as well as the impact of the CCPA on the insurance industry.Continue Reading California’s Privacy Regulator Had a Busy November, Cybersecurity Audits and Insurance Edition: What Does It Mean for Businesses?

The Department of Defense published the final version of its Cybersecurity Maturity Model Certification (CMMC) rule last week. This rule establishes the parameters of the program and timeline for implementation. A separate rule to finalize associated contract requirements is expected early to mid-next year. For a deep-dive into noteworthy takeaways for the Final Rule, see our analysis here. Here are some highlights:Continue Reading Countdown to Compliance: The Department of Defense Finalizes Its Cybersecurity Program Rule

The New York Department of Financial Services (“NYDFS”) recently published guidance on managing cyber risks related to AI for the financial services and insurance industry. Though the circular letter does not introduce any per se “new” obligations, the guidance speaks to the Agency’s expectations for addressing AI within its existing cybersecurity regulations. Continue Reading NYDFS Speaks Out on AI and its Cybersecurity Risks

The EU Regulation on horizontal cybersecurity requirements for products with digital elements, the so-called Cyber Resilience Act, has been officially adopted on 10 October 2024 and will be published in the EU’s official journal in the coming weeks. This law will impose important obligations on manufacturers of connected products and those placing them onto the EU market. Implementation will begin in 2026 for certain portions of the law, and continue until 2027/2028 for some provisions. There are several elements for a company to keep in mind, which we have outlined below.Continue Reading EU Cybersecurity Regulation Adopted, Impacts Connected Products

Tennessee has joined a handful of other states to provide certain safe harbors in the cybersecurity realm. Unlike others, the law sits beside -but does not modify- the states’ data breach notification law. Also unlike others, the safe harbor is very narrowly tailored, and is not triggered by having a data security program.Continue Reading Impact of Tennessee’s Cybersecurity Class Action Safe Harbor

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.Continue Reading Mid-Year Recap: Think Beyond US State Laws!