National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.

Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

Continue Reading Cybersecurity in Project Finance and M&A

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results 

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.” Continue Reading Cybersecurity Best Practices: FINRA’s 2019 Exam Observations

Continuing our coverage of cybersecurity issues during National Cybersecurity Awareness Month (NCSAM), we have identified 5 important cybersecurity questions and talking points you can use to start a meaningful cybersecurity conversation at your business.

Counsel and business executives take note: cybersecurity is not just an IT problem, robust cybersecurity starts with a healthy dialogue between legal, business, and IT. The chart below illustrates how failure to engage in meaningful oversight of your company’s data and systems security will create costly, significant, and unnecessary risk.


The good news is that you need not be an IT expert to oversee your company’s cybersecurity risk. You do not need to be able to write code, or to know exactly what software is needed to keep the company’s data secure. The first step is to open a healthy dialogue with your IT professionals – a dialogue that will allow you to assess more capably your company’s readiness to counter a broad range of exploitation techniques.

Try calling your CISO or CIO and asking these questions:

Continue Reading 5 Cybersecurity Questions To Ask Your CISO

Welcome back to our three-part series providing an overview of CIPA, recent CIPA class actions, and class action defenses. In Part I we provided an overview of CIPA and its recent resurgence in the age of smart speakers.  In Part II we highlighted recent class actions alleging CIPA violations involving the use of smart speakers. Here, we address potential defenses in response to a motion to certify a CIPA class.

Defenses to a CIPA Class Action

These recent lawsuits are good reminders of the real privacy concerns with new developing technologies.  Below is an overview of practice pointers and lessons learned from CIPA lawsuits if you are named in CIPA litigation. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part III)

Late last week heralded two significant and highly anticipated updates to the California Consumer Privacy Act (CCPA).

On October 10, 2019, the Office of the California Attorney General issued a long-anticipated Notice of Proposed Rulemaking Action regarding the CCPA.  The full text of the proposed regulations can be found here.  The next day, Governor Gavin Newsom signed all seven amendments to the CCPA that came out of the California State Assembly.

This post will address the statutory amendments first since they modify the CCPA itself, then turn to the draft regulations (officially, the “California Consumer Privacy Act Regulations”). Continue Reading CCPA Update: AG Issues Draft Regulations and Governor Signs Amendments

Welcome back to our three-part series examining CIPA class actions and defenses. In Part I of this series, we provided an overview of CIPA and its recent resurgence in the age of smart speakers. Here, we review recent CIPA class actions and common violations.

CIPA Finds New Life in the Wake of the “Smart” Devices 

According to a recent report, over a quarter of the adult population in the United States owns a smart speaker.[1] As smart speakers gain popularity, privacy litigation risks continue to grow. Recently-filed complaints utilize CIPA to attack the practice of recording and storing communications between a customer and a smart device such as smart phones or smart speakers.[2]  In 2019 alone, we have seen a rise in the number of cases against major technology companies alleging CIPA violations related to smart devices.  Below is an overview of those recent cases. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part II)

Welcome to a three-part series that provides an overview of the California Invasion of Privacy Act (CIPA), examines recent CIPA litigation involving smart speakers, and proposes defenses in response to an alleged violation.

CIPA in the Age of Smart Devices

The California Invasion of Privacy Act (CIPA)[1]—traditionally used by law enforcement and the plaintiffs’ bar to address illegal recording/eavesdropping on phone calls—has seen renewed interest in the age of smart speakers. Smart speakers, such as Amazon’s Alexa, Google Home and Apple’s Siri, are voice-enabled devices where the user utters a “wake word” to activate a “virtual assistant”.  A number of putative class actions have recently been filed over these “virtual assistants” and whether they illegally record individuals without their consent.  This recent spate of lawsuits highlights CIPA-compliance risks associated with these new technologies. This article provides an overview of CIPA’s history and features, addresses recently filed CIPA smart-device cases, and recommends defenses for responding to a smart device CIPA action. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part I)

California AG Releases Proposed CCPA Regulations

This week, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The rules set forth procedures for businesses covered under the CCPA to follow for compliance. The rules can be found here.

Nevada Consumer Privacy Law – In Effect

As previously reported, Nevada Senate Bill 220 (SB-220), which offers consumers the ability to opt out of the sale of their personal information, has become effective as of October 1, 2019. Analysis of the law and what it means for you business can be found here.

European Court of Justice Rules Active Consent Needed For Tracking Cookies

The European Court of Justice (CJEU) decided that companies must get active consent from internet users before using cookies to track browsing activity. “Passive” acceptance of cookies is not an acceptable form of consent. This includes using prechecked boxes, or posting a cookies banner and assuming the user has consented via their continued use of the website. The ruling can be found here.

DOD Seeks Input From Nonprofits For Cyber Accreditation Program

The U.S. Department of Defense (DOD) is seeking information from nonprofits regarding an accreditation body for its pending Cybersecurity Maturity Model Certification, (CMMC), program.  DOD said, “[t]his RFI seeks information on how to define the long-term implementation, functioning, sustainment, and growth of the CMMC accreditation body.” The CMMC will build on DOD cybersecurity requirements by incorporating existing cybersecurity standards including the NIST’s Special Publication 800-171.

According to Rosenworcel,  FCC Must Take Greater Role In Cybersecurity

During remarks at a NIST event, Rosenworcel stated that the FCC should work with NIST to help fortify IoT devices against cyber-attacks. “If we want to make sure that no one company can undermine our national security, it’s time for the United States to develop policies that help spur its creation,” she said.