While businesses operating in California are still adjusting to the requirements of the California Consumer Privacy Act (CCPA) and are watching for enforcement actions brought by the California Attorney General, as its enforcement powers begin on July 1, an expansive new privacy initiative was certified today by the California Secretary
Continue Reading Expansive New California Privacy Measure Cleared for November Ballot

We have previously written about legal risks companies will face from the California Consumer Privacy Act (CCPA) when it goes into effect on January 1, 2020.  In short, companies can be subject to consumer class actions alleging statutory damages for mishandled data—and a key defense to those suits will be
Continue Reading New York’s SHIELD Act Creates Significant New Cybersecurity Obligations for Thousands of Firms Worldwide

On April 1, 2019, new cybersecurity requirements outlined in the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 will come into effect.  These new requirements apply to NFA Members, including registered futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, and
Continue Reading NFA Members Should Prepare for Onerous New Breach Notification Requirements

On November 1, Canada provided the U.S. with another model for a national breach law:  the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards
Continue Reading What You Need to Know About Canada’s New Breach Notification Law

Readers of our blog know that the NYDFS cybersecurity rules and the European GDPR are part of a trend in regulation towards onerous breach notification requirements with very short (i.e., 72-hour) deadlines.  But there are other, less well-known examples.

Alabama and South Dakota recently passed data security statutes, which means
Continue Reading New Breach Notification Regulations – More Requirements with Less Time to Respond

For U.S. companies subject to the GDPR, figuring out breach notification obligations is about to get even harder as the GDPR adds another layer of complexity to the existing patchwork of 50 different state breach notification laws and several federal ones.

The GDPR will come into force on May 25,
Continue Reading GDPR Is Almost Here, Making Breach Notification Even More Complicated

One of the many difficult questions that companies face in the immediate aftermath of discovering a cyber breach is whether to inform their regulators or law enforcement.  Assuming there is no mandatory disclosure obligation, some companies are reluctant to call the government because (1) they may not know all the
Continue Reading Had a Cyber Breach? The FBI Really Wants To Hear From You!

Cryptojacking is the newest cyber threat that companies are facing.  It involves hackers accessing company servers in order to steal processing power, which is then used to mine cryptocurrencies.

With the recent increase in value of digital assets such as bitcoin, Ether, and Monero, it is not surprising that criminal
Continue Reading Cryptojacking – A Real Cyber Threat, Even If You Don’t Have To Tell Anyone

One of our cyber predictions for 2018 was that class action securities cases are going to become a major issue for companies involved in cyber events.

Large-scale data breaches often give rise to a variety of legal problems for the affected company, ranging from consumer class action litigation to congressional
Continue Reading The Intel Complaint – Cyber Class Action Securities Cases on the Rise

Cybersecurity regulators appear to be converging on 72-hour breach notification.  First it was the European Union’s General Data Protection Regulation (“GDPR”), then it was the New York Department of Financial Services (“NYDFS”) cybersecurity rules, and now the National Association of Insurance Commissioners (“NAIC”) have adopted the Insurance Data Security Model
Continue Reading Insurance Industry Moves Towards 72-Hour Breach Notification