Cybersecurity

Subscribe to Cybersecurity via RSS

In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations.  These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.

Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?

Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).

Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on Sept. 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement, formally published on Sept. 10, 2025. CMMC 2.0 is a fundamental shift in how the

Amazon’s recent announcement to invest at least $20 billion in cloud computing and AI data center campuses across Pennsylvania — a record‑breaking private investment in the state — marks a turning point in digital infrastructure build-out. Spanning sites in Luzerne and Bucks counties, the project promises 1,250 full‑time roles and thousands more in construction, while

On May 20, 2025, the Senate cleared procedural obstacles to consider the GENIUS Act on the Senate floor. Originally introduced on Feb. 4, by Senator Bill Hagerty, R-TN, along with Senate Banking Committee Chairman Tim Scott, R-SC, Kirsten Gillibrand, D-NY, and Cynthia Lummis, R-WY, the Guiding and Establishing National Innovation for U.S. Stablecoins of 2025

In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.

Continue Reading Broad Interpretation of CCPA’s Private Right of Action Increases Business Risk to Tracking Technologies Lawsuits

On January 10, 2025, in the waning days of the Biden Administration, the Consumer Financial Protection Bureau issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data. The Request signals the Bureau’s strong concern with the ways financial institutions, and particularly new financial tools like widespread use of mobile banking, collect and use sensitive consumer-financial data. The Request was motivated by the results from the data that the Bureau collected in developing its Personal Financial Data Rights Rule, finding that “actual business practices show significant deviation from longstanding consumer expectations when it comes to the collection, use, and monetization of data harvested from payment transactions.” Among the Bureau’s chief concerns was consumers’ general ignorance about financial data that Americans believe “is kept private just because it is sensitive.” On the contrary, the Bureau found that not only is consumers’ sensitive financial information monetized, but also that it is commingled with consumer attributes like geographic location, social-media habits, and even individual voices. Such advancements, the Bureau worries, could lead to “dynamic pricing algorithms” that show different pricing for different users, based on their harvested personal data.  

Continue Reading CFPB Explores the Need for Greater Financial Privacy

In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is

As public companies’ reliance on remote work, cloud computing and digital payments increases, so too does the cybersecurity risk. Recognizing this, the SEC finalized rules and regulations in September 2023 requiring new cybersecurity-related disclosures from public companies. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive

On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions