Data Security

Subscribe to Data Security

The SEC has now finalized its much anticipated rules for public companies’ cybersecurity disclosures. The final rules, published this month, require disclosure of certain cybersecurity incidents much sooner than under many other breach notification regimes. Additionally, the final rules require new periodic disclosures about a company’s processes to assess, identify, and manage material cybersecurity risks and about the roles of management and the board of directors in managing or overseeing those cybersecurity risks. These new requirements vary from the SEC’s prior (2018) guidance, and unlike in the past, are now codified under the Securities Exchange Act of 1934 and the Securities Act of 1933.

Continue Reading SEC Gives Finality on Cybersecurity Disclosures for Public Companies

The CPPA, the California regulatory body charged with enforcing CCPA, has now issued draft regulations on risk assessments and cybersecurity audits. The draft was released ahead of a public board meeting to discuss those topics (among other things).

Continue Reading What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?

Texas recently enacted an amendment to its data breach notification law. As of September 1, 2023, there are two changes to the requirements when notifying the Texas Attorney General. In Texas, breaches of 250 residents or more must be reported to the Attorney General. Now, as amended, this will need to be done so as soon as practicable, and not later than 30 days from determination of the breach (previously, it was 60 days). Texas joins Colorado, Florida, and Washington in requiring notice within a 30-day time frame. Notification in Texas must also be submitted electronically using a form on the AG’s website.

Continue Reading Texas Amends Data Breach Notification Law, Updates Effective September 1

Iowa recently became the fifth state to offer businesses a safe harbor if they have a written cybersecurity program. Others are Connecticut (October 1, 2021), Ohio (effective November 2, 2018), Oregon (effective January 1, 2020), and Utah (effective March 5, 2021). Like these, as of July 1, 2023, businesses that have a written cybersecurity program and suffer a breach may have an affirmative defense in Iowa against tort claims for inadequate security measures.

Continue Reading Iowa Joins Growing List to Offer Potential Safe Harbor for Companies With Security Programs

In response to a constantly-evolving cyber threat landscape, the Biden Administration recently announced the launch of a new cybersecurity labeling program – the U.S. Cyber Trust Mark program – in an effort to enhance transparency and protection against cyber threats in the growing Internet of Things (“IoT”) device space.

Continue Reading Cybersecurity Labeling Program to Increase Transparency of IoT Device Security

The National Institute of Standards and Technology is updating the security standards that govern the protection of sensitive government information. NIST recently released an initial public draft for comment. The document will be the third version of its existing standard (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The comment period closes July 14, 2023.

Continue Reading NIST Seeks Input on Standards for Protecting Sensitive Government Information

New York Attorney General Letitia James recently published a guide to help companies in preparing their data security programs and responding to data security incidents. The security program recommendations are paired with highlights from recent investigations by the Attorney General that provide valuable insights into what the Attorney General views as data security pitfalls that should be remedied.

Continue Reading New York AG Releases Guide for Business Data Security

EyeMed recently entered into a settlement with the Attorneys General of Oregon, New Jersey, Florida and Pennsylvania around a 2020 breach of an EyeMed email account that contained the data of more than 2 million individuals. As we previously reported, EyeMed entered into settlement with NYDFS over this breach in October of 2022. 

Continue Reading EyeMed Data Breach Multistate Settlement

Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.

Continue Reading Utah Amends Data Breach Law, Creates Cyber Center

On April 4, CFPB Director Rohit Chopra delivered remarks at the International Association of Privacy Professionals’ Global Policy Summit on the importance of reigning in repeat violators of consumer finance and privacy laws. According to the Director, the CFPB is to enhance penalties against repeat offenders of consumer protection laws. Such penalties could involve a broader range of agency remedies, including naming executives in enforcement actions and placing meaningful limitations on future business practices, in addition to simple fines.

Continue Reading CFPB Director Elevates Priorities for Data Privacy & Repeat Offenders

The US Department of Health and Human Services recently updated its guide to help the private and public healthcare sectors develop cybersecurity protocols that address NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The guide is a toolkit, with information and resources intended to help companies implement cybersecurity programs in the health care space. While the aim of this guidance is to help companies implement NIST’s protocols for protecting US critical infrastructure, the recommendations contained in the guide mirror other agencies’ security recommendations (for example those we have written about from the Department of Labor and the FDA).

Continue Reading HHS Releases Cybersecurity Guide