Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security laws that exist at the federal and state level. In the US, companies may be subject to certain data security laws because of the type of information they collect or because of the industry they are in (financial, healthcare, insurance, telecommunications, etc.). The gaming industry is the latest to add to the mix.

Continue Reading Gaming Operators Latest to See Specific Privacy & Cybersecurity Laws

The New York and Pennsylvania AGs settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information.

Continue Reading Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities

To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part One, Part Two, Part Three, and Part Four).

Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Five- Further Adoption of FedRAMP & StateRAMP

The federal government has continued its efforts to fulfill the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity. For companies that do business with the Federal government, beyond looking at the other issues raised in this series of posts (see here, here and here), these efforts will be important to keep in mind in 2023. There are three efforts underway by the FAR Council to amend the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to the Secure Software efforts discussed in Part Three).

Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Four – Cybersecurity Federal Acquisition Regulation (FAR) Updates

Today we continue our series (see here and here) with the Office of Management and Budget’s September 2022 memorandum requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the NIST. The new requirements will apply to any third-party software that is used on government information systems or that otherwise “affects” government information. You can read our article about the guidance here.

Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Three – Secure Software Development Attestation Requirements

In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program. 

Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Two – NIST SP 800-171, Revision 3

As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.

Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part One – CMMC Developments

Recently, the CFPB released an outline of proposed measures related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts that would allow consumers to take control of their personal financial data and determine which third parties could have access to such data. The CFPB is seeking comments on the rulemaking, by January 25, 2023.

Continue Reading CFPB Starts Year Seeking Comments on Proposals to Give Consumers Enhanced Control of Financial Data

New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.

Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response

The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.

Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations