Information Governance and Risk Management

Two more states have enacted consumer privacy protection laws, with Oregon and Delaware joining the existing fray of state comprehensive consumer privacy laws in California, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Montana, Tennessee, Florida, and Texas. For a useful chart detailing the applicability, effective dates, and exemptions of all of the state laws enacted thus

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted amendments augmenting and standardizing required disclosures for public companies related to cybersecurity. The rules apply to all registrants, and includes comparable requirements of foreign private issuers. The rules reflect several changes to elements described in the 2022 proposed rule and in previous guidance.

On July 31, 2023, the California Privacy Protection Agency (“CPPA”) – the state privacy regulatory agency charged with regulating and enforcing the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) — announced that it will be reviewing the data privacy practices of connected vehicle (CV) manufacturers and related CV technologies.

On Monday, March 13, 2023, The Texas House Business & Industry committee held a hearing for the main data privacy bill for this legislative session by Representative Capriglione of Southlake, TX, a Dallas suburb. The 34-page bill filed earlier this year aims to comprehensively address how companies and consumers interact with personal data. Similar to California, European, and a handful

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.  The order aims to address concerns expressed by the Court of Justice of the European Union (CJEU) in the Schrems II case, in which it ruled the E.U.-U.S. Privacy Shield inadequate as a cross-border transfer mechanism. 

The Department of Justice (“DOJ”), on behalf of the Federal Trade Commission (“FTC”), filed a complaint and motion for entry of a stipulated order with the Northern District of California, which would require Twitter to pay civil penalties and take other corrective actions for their violation of the FTC Act and a previous 2011 FTC

On December 20, 2021, The National Institute of Standards and Technology (NIST) released its draft interagency report 8403 on “Blockchain for Access Control Systems”.  As the report’s abstract states:

“Protecting system resources against unauthorized access is the primary objective of an access control system. As information systems rapidly evolve, the need for advanced access control

A new bill introduced by the Senate (S. 2666), the “Sanction and Stop Ransomware Act of 2021”, would require a strict 24-hour limit for reporting ransomware payments for businesses with more than 50 employees. The bipartisan bill, put forward by leaders of the Senate Homeland Security and Governmental Affairs Committee, also focuses on critical infrastructure,

Background

Yesterday, on September 22, 2021, the California Privacy Protection Agency (“CPPA”) — the new privacy regulatory agency created by the California Privacy Rights Act of 2020 (“CPRA” or “CCPA 2.0”) — issued an invitation for public comment on its proposed rulemaking.  Such comments “will assist the Agency in developing new regulations, determining whether

Background

On August 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for cybersecurity failures in their policies and procedures that exposed the personal information of thousands of customers at each firm. These firms included: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC,