On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.

Continue Reading DOL’s New Cybersecurity Guidance

The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here.  Risks of investing in SaaS Solutions can be found here and here.  Technology is everywhere in 2021, even in the smallest brick and mortar shops around.  Technology investing offers lucrative opportunities for investors large and small, but there are many traps for the unwary, such as “zero-day exploits.”

Continue Reading Tech Investing Part 1: Zero Hour

Almost exactly a year ago, the first COVID-19 tuition reimbursement lawsuits were filed against higher education institutions across the United States and we warned of the continued onslaught of such litigation.  With the filing of those reimbursement class actions decreasing, higher education institutions should be cognizant of a potential new wave of COVID-19 class actions: privacy class action lawsuits related to the COVID-19 vaccine.

Continue Reading Colleges Should Brace for Next Phase of COVID-19 Class Actions

On April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved a circuit split regarding the meaning of “automatic telephone dialing system” (autodialer or ATDS) under the Telephone Consumer Protection Act (TCPA). In a decision authored by Justice Sonia Sotomayor, the court adopted the narrow, pro-defendant definition of autodialer.

Continue Reading U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory

On March 9, the Department of Health and Human Services announced it was extending until May 6, 2021, the comment period for proposed changes to regulations implementing the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

Read our complete alert to learn more about this development and the proposed rule, expected to draw significant interest and comment from stakeholders in the healthcare industry.

2021 is shaping up to be a groundbreaking year for employment litigation topics, and Illinois’ Biometric Information Privacy Act (BIPA) is no exception. State and federal appellate courts in Illinois are poised to decide several open issues, including the proper limitations period, whether the Workers Compensation Act pre-empts BIPA claims and whether BIPA liquidated damages are measured on a per-employee or per-scan basis.

Read our full alert to learn more about how these appeals can affect employers’ biometric privacy obligations and exposure for violations.

Information security is critical to the operation of the financial markets and the confidence of its participants. . . The Division is acutely focused on working with firms to identify and address information security risks, including cyber-attack related risk . . .” SEC Division of Examinations, 2021 Examination Priorities, at 24.

On March 3, 2021, the Securities and Exchange Commission’s newly renamed Division of Examinations (EXAMS) (formerly the Office of Compliance Inspections and Examinations (OCIE)) announced its 2021 examination priorities.  Information security and operational resiliency ranked number two out of the top five priorities sending a clear message that the SEC is focused on emergent security threats, particularly cyber-attacks, resulting from the sudden and unprecedented increase in remote operations.

Continue Reading SEC Announces 2021 Information Security Examination Priorities – Five (5) Steps Every Firm Should Take to Prepare!

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.

Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.

Read the full article on our Subject to Inquiry blog for details about this enforcement action, which spotlights the cybercriminals’ methods to steal intellectual property and corporate secrets, while also conducting cyber-extortions, ransomware attacks, and cyber-enabled heists of bank-held funds, ATMs and cryptocurrency.

This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.

Read our full article on our Subject to Inquiry blog for highlights from the report and a list of steps organizations can take to minimize their vulnerability and respond effectively in the event of a cyberattack.