Cybersecurity

Subscribe to Cybersecurity via RSS

Key Changes to Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On May 1, 2025, the California Privacy Protection Agency (CPPA) Board met again to discuss updates to the latest draft California Consumer Privacy Act (CCPA) regulations related to automated decision-making technology (ADMT), cybersecurity audits, risk assessments, and an assortment of other updates to existing regulations. These latest updates come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. In April 2025, the Board continued to grapple with public concerns and received hundreds of public comments on the prior draft regulations, an analysis of which can be found in this recent client alert. At the CPPA meeting last week, CPPA staff proposed significant changes to the prior draft, on which the Board provided more feedback and agreed to open the regulations for public comment as soon as this week and closing June 2, 2025.Continue Reading CPPA Board Opens Draft Regulations for Public Comment

On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.Continue Reading UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack

On February 4, 2025, the European Commission (EC) issued draft guidelines clarifying the AI practices that are prohibited under the European Union’s (EU) Artificial Intelligence (AI) Act. While non-binding, the guidelines offer valuable clarifications and practical examples to help businesses navigate their obligations under the AI Act. The EC has approved the draft guidelines, but is still to formally adopt them, which is expected in the near term.Continue Reading EU Commission Issues Guidelines on Prohibited AI Practices Under EU AI Act