Demian Ahn

Subscribe to Demian Ahn's Posts

On October 27, 2023, the Federal Trade Commission (FTC) announced it is amending the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) to include a requirement for non-bank financial institutions to report certain data breaches and other security events to the agency.Continue Reading FTC Amends Safeguard Rule with Requirement for Non-Banking Financial Institutions to Report Data Security Breaches

Reflective of the Government’s increasing focus on cybersecurity, on October 3, 2023, the Federal Acquisition Regulation Council (FAR Council) released two new proposed rules that will have major impacts on federal contractors. These rules implement the May 2021 Executive Order on Improving the Nation’s Cybersecurity.1 One rule applies to any federal contractor that uses information and communications technology (ICT) systems in the performance of a federal contract, sets forth cybersecurity incident reporting requirements, and imposes a software bill of materials (SBOM) requirement. The other rule, which applies only to those federal contractors that provide or maintain a Federal Information System (FIS), is intended to standardize cybersecurity requirements for unclassified FISs.Continue Reading New Proposed Rules Published for Cyber Incident Reporting and Cybersecurity Requirements Will Have Major Impacts on Federal Contractors

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it adopted final rules requiring disclosure by public companies of material cybersecurity incidents in a Current Report on Form 8-K, and of material information regarding their cybersecurity risk management, strategy, and governance in an Annual Report on Form 10-K. Foreign private issuers will be required to make comparable disclosures on Forms 6-K and 20-F. Set forth below is a brief summary of the final rules; a more detailed client alert will follow.Continue Reading SEC Adopts Cybersecurity Disclosure Rules

Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. This alert provides guidance on what companies should be doing to prepare now.Continue Reading SEC Adjusts Anticipated Action Date for Publication of Final Rules for Cybersecurity Reporting and Enhanced Standardized Disclosure

On March 2, 2023, the White House released its National Cybersecurity Strategy (the Strategy). The Strategy sets out ambitious goals for the federal government to hold countries accountable for irresponsible behavior in cyberspace and to

Continue Reading White House Releases National Cybersecurity Strategy: Key Takeaways for the Private Sector

On May 19, 2022, the U.S. Department of Justice (DOJ) revised its policy regarding charging decisions under the Computer Fraud and Abuse Act (CFAA). The new policy makes clear, “for the first time,” that the DOJ “should decline prosecution” of “good faith” security research, even if said research involves a technical violation of the CFAA.1 The new policy also limits prosecutions based on terms of service (TOS) or other boilerplate contractual violations, in recognition of the U.S. Supreme Court’s decision in Van Buren v. United States, 593 U.S. __ (2021).
Continue Reading DOJ Acknowledges Limits to the CFAA, but Questions (and Possible Civil Liability) Remain for Security Researchers and Others