On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted amendments augmenting and standardizing required disclosures for public companies related to cybersecurity. The rules apply to all registrants, and includes comparable requirements of foreign private issuers. The rules reflect several changes to elements described in the 2022 proposed rule and in previous guidance.
Data Breach
NIST Releases Draft Report on Blockchain for Access Control Systems for Public Comment
On December 20, 2021, The National Institute of Standards and Technology (NIST) released its draft interagency report 8403 on “Blockchain for Access Control Systems”. As the report’s abstract states:
“Protecting system resources against unauthorized access is the primary objective of an access control system. As information systems rapidly evolve, the need for advanced access control…
Senate Introduces Legislation Requiring 24-hour Ransomware Notification
A new bill introduced by the Senate (S. 2666), the “Sanction and Stop Ransomware Act of 2021”, would require a strict 24-hour limit for reporting ransomware payments for businesses with more than 50 employees. The bipartisan bill, put forward by leaders of the Senate Homeland Security and Governmental Affairs Committee, also focuses on critical infrastructure,…
President Biden Issues Executive Order on Cybersecurity
On May 12, 2021, President Biden issued an executive order to strengthen U.S. cybersecurity defenses. The order comes in the wake of the ransomware attack on Colonial Pipeline and numerous other cybersecurity attacks against the U.S. government and private companies over the past few years. The order proposes a wide array of changes to bolster…
Mortgage Analytics Company and FTC Agree to Settlement on Allegations Related to Third-Party Vendor Data Breach

Ascension Data & Analytics LLC, a data analytics company for the mortgage industry, has entered into a proposed settlement agreement with the Federal Trade Commission (FTC) following allegations that it violated the Gramm-Leach-Bliley Act’s (GLB) Safeguards Rule by failing to ensure that a third-party vendor was adequately securing data of mortgage holders. The FTC complaint …
Brazil’s Data Protection Law (“LGPD”) Retroactively Effective
On September 18, 2020, Brazil’s data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) became retroactively effective August 16, 2020. Penalties do not begin until August 1, 2021, based on a previous delay passed by Brazil’s legislature. Brazil’s legislature previously rejected a provisional measure which would have postponed applicability of…
Vermont Amends Data Breach Notification Law, Enacts Student Privacy Act
Vermont Amends Data Breach Notification Law
On July 1, 2020, amendments to Vermont’s Security Breach Notice Act, 9 V.S.A. §§ 2330 & 2335, took effect along with a new “Student Online Personal Information Protection Act.”
Key amendments to the security breach act include:
- An expanded definition of Personally Identifiable Information (“PII”). The definition now
…
First Charges Filed for Breach of New York’s Cybersecurity Regulations
On July 21, 2020, the New York State Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for breach of state cybersecurity regulations. Specifically, NYDFS alleges that First American exposed tens of millions of documents containing consumers’ sensitive personal information, including bank account numbers and statements, mortgage and tax…

Cyber Insurance Found to Cover Fraudulent Wire Transfer

Note: This post was originally posted in our Southeast Financial Litigation Monitor.
Gregory C. Cook & Brandon N. Robinson
The story is becoming all too common. A merchant (or consumer) is convinced to wire money to a fraudulent account because of an incorrect belief that they are wiring the money to the real party. …
HHS Suffers Cyber Attack Meant to Slow Coronavirus Response, No Damage Done
According to a Bloomberg article posted earlier this morning, the U.S. Health and Human Services Department (“HHS”) suffered a cyber attack on its computer systems Sunday night. The attack appears to have been intended to slow the agency’s systems, but was unable to do so in any meaningful way. Just before midnight, the National Security…