Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Global Regulators Highlight Potential Harms of Data Scraping and Best Practices

On August 24, 2023, some members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group published a joint statement on data scraping (Statement). Signatories to the Statement include the privacy regulators of the UK, Australia, Argentina, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, and Switzerland.[1] Notably absent from the list of … Continue Reading

Into the Final Stretch: Six Gatekeepers Confirmed Under the EU’s Digital Markets Acts

On September 6, 2023, the European Commission (EC) returned from its summer break with full force and announced the designation of six tech companies as so-called “gatekeepers” under the EU’s Digital Markets Act (DMA) and published a Q&A document. The six companies are predominantly American, with one Asian company represented and no European: Alphabet, Amazon, Apple, … Continue Reading

CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments

Significant New CCPA Compliance Requirements Likely on the Way On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of … Continue Reading

OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies

On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking … Continue Reading

SEC Adopts Cybersecurity Disclosure Rules

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it adopted final rules requiring disclosure by public companies of material cybersecurity incidents in a Current Report on Form 8-K, and of material information regarding their cybersecurity risk management, strategy, and governance in an Annual Report on Form 10-K. Foreign private issuers will be required to … Continue Reading

SEC Announces Open Meeting to Consider Cybersecurity Rules

On July 19, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it will hold an open meeting on Wednesday, July 26, 2023, to consider whether to adopt rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange … Continue Reading

SEC Adjusts Anticipated Action Date for Publication of Final Rules for Cybersecurity Reporting and Enhanced Standardized Disclosure

Earlier this month, the U.S. Securities and Exchange Commission’s (SEC) 2023 Spring Unified Agenda of Regulatory and Deregulatory Actions was released. The agenda identifies the rules that the agency expects to consider in the next 12 months and includes an anticipated action date for finalizing rules for cybersecurity disclosure by public companies by October 2023. … Continue Reading

Are You Ready for the 3Cs?: California, Colorado, and Connecticut’s New Privacy Laws Become Enforceable July 1, 2023

On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting … Continue Reading

UK and U.S. Commit to Establish a “Data Bridge” to Facilitate the Free Flow of Personal Data

On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).… Continue Reading

Texas Joins Other States in Enacting Social Media Law for Minors

On June 13, 2023, Texas Governor Greg Abbott signed the Securing Children Online through Parental Empowerment Act (HB 18) (SCOPE Act). With this signing, Texas joins Utah and Arkansas in regulating social media and its impact on minors and their mental health. The SCOPE Act requires covered “digital service providers” to provide minors with certain data protections, prevent minors from accessing … Continue Reading

Meta Receives Record 1.2 Billion EUR Fine and Is Ordered to Suspend Its EU-U.S. Data Transfers

On May 22, 2023, Ireland’s Data Protection Commission (DPC) published its long-awaited decision in the Meta EU-U.S. data transfer case (Decision). In its landmark Decision, the DPC imposed a record 1.2 billion EUR fine and ordered Meta Platforms Ireland Limited (Meta) to suspend any EU-U.S. transfers of personal data within approximately five months. Meta was … Continue Reading

The Sixth State: Iowa Enacts Comprehensive Privacy Law

On March 28, 2023, Iowa Governor Kim Reynolds signed “An Act Relating to Consumer Data Protection” (SF 262) (ICDPA),1 making Iowa the sixth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, Utah, and Connecticut. Substantively, the ICDPA is similar to Connecticut’s recently enacted An Act Concerning Personal Privacy and Online Monitoring (CPOMA), the Utah … Continue Reading

UK Brings Forward Legislation to Streamline the GDPR

In March 2023, the UK government published the Data Protection and Digital Information (No. 2) Bill (the bill). If enacted, the bill will introduce significant changes to the UK’s data protection laws, with the aim of introducing a simple, clear, and business-friendly framework, while maintaining high data protection standards.… Continue Reading

White House Releases National Cybersecurity Strategy: Key Takeaways for the Private Sector

On March 2, 2023, the White House released its National Cybersecurity Strategy (the Strategy). The Strategy sets out ambitious goals for the federal government to hold countries accountable for irresponsible behavior in cyberspace and to disrupt the networks of criminals behind cyberattacks. It also seeks to establish, harmonize, and streamline regulations to secure critical infrastructure, as well … Continue Reading

EU Regulators Adopt Opinion on Draft EU-U.S. Data Privacy Framework

Since the invalidation of the Privacy Shield framework in 2020 in the “Schrems II” case, the EU and the U.S. have been working to set up a new framework for data flows from the EU to the U.S. A draft of a new “Data Privacy Framework” (DPF), which is designed to serve as the basis … Continue Reading

California AG Targets Mobile Apps for Failing to Honor or Provide Mechanism for Opt-Out Requests

On January 27, 2023, the California Attorney General (California AG) Rob Bonta announced an “investigative sweep” of mobile apps in retail, travel, and food service industries for failing to provide a mechanism for—or honor—consumers’ opt-out requests to stop selling their data under the California Consumer Privacy Act (CCPA). According to the California AG’s tweet, the … Continue Reading

2023 U.S. Cybersecurity Predictions

Given that cyberattacks continue to be sophisticated and severe, and cybersecurity continues to be a top concern for regulators, consumers, business partners, and investors, companies should be proactive and devote adequate resources to their security practices and incident response. In addition to the litigation and reputational risks that companies face if they are perceived as … Continue Reading

Council of the EU Proposes Amendments to Draft AI Act

On December 6, 2022, the European Union’s (EU) Regulation on Artificial Intelligence (AI Act) progressed one step towards becoming law when the Council of the EU (the Council) adopted their amendments to the draft act (Council General Approach). The European Parliament (Parliament) must now finalize their common position before interinstitutional negotiations can begin.… Continue Reading

California Privacy Protection Agency Releases Modified Proposed CPRA Regulations: An In-Depth Analysis

Written Comments Due by November 21 On November 3, 2022, the California Privacy Protection Agency (CPPA, or the Agency) issued modified proposed regulations implementing the California Privacy Rights Act (CPRA),[1] which revise the initial proposed regulations released on July 8, 2022. The Agency’s Notice of Modifications to Text of Proposed Regulations triggers a 15-day public … Continue Reading

President Biden Signs Executive Order to Implement the New EU-U.S. Data Privacy Framework

On October 7, 2022, President Biden signed an Executive Order (Order) on Enhancing Safeguards for United States Signals Intelligence Activities. This marks the latest step towards the new EU-U.S. Data Privacy Framework (Framework), a replacement for the defunct EU-U.S. Privacy Shield (Privacy Shield). The next stage in the process is for the European Commission (EC), with input from the … Continue Reading

European Commission Proposes New EU Cybersecurity Rules for Software and Hardware Products

On September 15, 2022, the European Commission (EC) published a Proposal for a Cyber Resilience Act (CRA Proposal) that sets out new rules in the European Union (EU) for software and hardware products and their remote data processing solutions. The CRA Proposal introduces mandatory cybersecurity-related requirements and reporting obligations, including about product vulnerabilities, for manufacturers, … Continue Reading

CFPB: New Sheriff in Town for Tech Companies?

On August 10, 2022, the Consumer Financial Protection Bureau (CFPB) issued a final Interpretive Rule stating that the Consumer Financial Protection Act (CFPA) applies to companies engaged in targeted advertising of financial products and services. Because the CFPB considers these companies to be covered by the CFPA, they would be subject to civil money penalties … Continue Reading

D(MA)-Day: Formal Adoption of the EU Digital Markets Act

On July 18, 2022, the long-awaited Digital Markets Act (DMA) received the final approval of the EU’s co-legislators. The DMA will impose stringent far-reaching obligations on the largest digital platforms: the “gatekeepers.” The regulation will give the European Commission (EC) significant new enforcement powers, including the ability to impose severe fines and remedies in case … Continue Reading

EU Parliament and EU Council Approve the DMA

On July 18, 2022, the EU Council formally adopted the EU Digital Markets Act (DMA), following approval by the EU Parliament earlier this month (the press releases are available here and here). The final DMA text as approved is available here. As next steps, the final text of the law will be signed by the … Continue Reading
LexBlog