Enforcement - Federal Agency and State AG Action

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely

A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.

Read on for details about this development and how companies that collect such information can minimize risks

On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory

Reflecting its determination to monitor the crypto markets, the U.S. Securities and Exchange Commission announced today that it was renaming the Cyber Unit the “Crypto Assets and Cyber Unit” and nearly doubling its size, from 30 to 50 members. The additional permanent positions will include investigative staff attorneys, trial lawyers and fraud analysts, who will

On Feb. 10, the Senate Judiciary Committee approved the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which targets the online proliferation of child sexual abuse material by paring back online service providers’ broad immunity under the Communications Act of 1934.

Read on for analysis of this legislation, which could open websites and tech

On May 12, President Biden signed an executive order mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses. This move follows a series of cyberattacks on private companies and federal government networks over the past year, including a recent incident that resulted in gasoline shortages along the U.S.

On March 2, 2021, Governor Northam signed into law Virginia’s own Consumer Data Protection Act (“Virginia CDPA” or the “Act”), a bill that brings together concepts from the EU’s General Data Protection Regulation (GDPR) as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It is the first of its kind legislation on the East Coast. The law will go into effect on January 1, 2023.

The drafters of the Virginia CDPA appear to have benefited from observing the pitfalls and problems that arose in the development and implementation of both GDPR and CCPA. The Virginia bill deftly avoids several of those by incorporating narrower, more tailored definitions that clearly exclude categories of data and businesses over which there was (and continues to be) some confusion with respect to both the EU/UK and California compliance regimes. It also adopts, in concept, the framework of the GDPR, and even some of its language. Like GDPR, it characterizes the party who initially collects and controls personal data as the “controller” and obligates that party to be a good steward of the data, through transparency with the consumer, accountability for sharing the data with third parties (“processors”), and a duty to implement appropriate data security to safeguard the data. It will be enforced by the Virginia Attorney General. Notably, there is no private right of action under the Act.Continue Reading Virginia’s New Consumer Data Protection Act (CDPA)

The U.S. Department of Justice announced an indictment in the U.S. Attorney’s Office for the Central District of California against a North Korea-sponsored international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access.

Read the full article on our

This week, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Department of the Treasury released a joint advisory report on HIDDEN COBRA — the cyber threat North Korea poses to cryptocurrency — and provided mitigation recommendations for addressing this ongoing threat.

Read our full article on our Subject to Inquiry blog for highlights