In 2024, businesses will continue to face an evolving landscape of cyber threats, along with an increasingly complex regulatory environment. With heightened scrutiny from regulators, consumers, and investors, the need to bolster security measures and improve incident response capabilities has become even more important. Here’s our top 10 list of what to watch for from cybersecurity regulators in 2024:Continue Reading Cybersecurity: What to Watch for in 2024

Reflective of the Government’s increasing focus on cybersecurity, on October 3, 2023, the Federal Acquisition Regulation Council (FAR Council) released two new proposed rules that will have major impacts on federal contractors. These rules implement the May 2021 Executive Order on Improving the Nation’s Cybersecurity.1 One rule applies to any federal contractor that uses information and communications technology (ICT) systems in the performance of a federal contract, sets forth cybersecurity incident reporting requirements, and imposes a software bill of materials (SBOM) requirement. The other rule, which applies only to those federal contractors that provide or maintain a Federal Information System (FIS), is intended to standardize cybersecurity requirements for unclassified FISs.Continue Reading New Proposed Rules Published for Cyber Incident Reporting and Cybersecurity Requirements Will Have Major Impacts on Federal Contractors

On August 24, 2023, some members of the Global Privacy Assembly’s International Enforcement Cooperation Working Group published a joint statement on data scraping (Statement). Signatories to the Statement include the privacy regulators of the UK, Australia, Argentina, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, and Switzerland.[1] Notably absent from the list of signatories were the U.S. Federal Trade Commission and the California Privacy Protection Agency, both of which are accredited members of the Global Privacy Assembly. This seems likely due to First Amendment considerations in the U.S. regarding data scraping, which have led to “publicly available” information being broadly excluded from recent U.S. state privacy laws.Continue Reading Global Regulators Highlight Potential Harms of Data Scraping and Best Practices

On September 6, 2023, the European Commission (EC) returned from its summer break with full force and announced the designation of six tech companies as so-called “gatekeepers” under the EU’s Digital Markets Act (DMA) and

Continue Reading Into the Final Stretch: Six Gatekeepers Confirmed Under the EU’s Digital Markets Acts

Significant New CCPA Compliance Requirements Likely on the Way

On August 29, 2023, the California Privacy Protection Agency (CPPA) posted discussion drafts of its forthcoming regulations on cybersecurity audits and risk assessments as part of the materials for its September 8, 2023, public board meeting. These draft regulations are expected to eventually become part of the CPPA’s second rulemaking package under the California Consumer Privacy Act (CCPA) since the CCPA’s amendment by the California Privacy Rights Act. The CPPA has not yet started its formal rulemaking process for cybersecurity audits and risk assessments, and it has made clear that these draft regulations are meant to facilitate CPPA Board discussion and public participation. Nevertheless, the obligations set forth in the draft rules are extensive and provide an initial window into the onerous new compliance requirements. Notable requirements put forth for discussion under the draft regulations include:Continue Reading CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments

On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking technologies integrated into their websites and mobile apps. The FTC released a press release about the joint letter here and OCR released a press release about the joint letter here.Continue Reading OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) announced that it adopted final rules requiring disclosure by public companies of material cybersecurity incidents in a Current Report on Form 8-K, and of material information regarding their cybersecurity risk management, strategy, and governance in an Annual Report on Form 10-K. Foreign private issuers will be required to make comparable disclosures on Forms 6-K and 20-F. Set forth below is a brief summary of the final rules; a more detailed client alert will follow.Continue Reading SEC Adopts Cybersecurity Disclosure Rules