The Cybersecurity and Infrastructure Security Agency seeks public input on regulations that will set new mandatory cybersecurity reporting requirements for critical infrastructure companies. Open questions include the following:

  • Who will be subject to the new requirements?
  • What level of incident will trigger mandatory reporting?
  • How much follow-up reporting will be required?
  • What costs could potential

The U.S. Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative, announced last October, is designed to leverage existing whistleblower incentives for employees, or other persons with inside knowledge, to identify lapses in federal contractors’ cybersecurity and privacy practices. We gave that issue in-depth treatment here, with particular focus on the U.S. District Court for the Eastern District of California’s opinion in United States ex. rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 WL 297093 (E.D. Cal. Feb. 1, 2022), denying the defendant’s motions for summary judgment on a majority of the relator’s False Claims Act (FCA) claims.

Continue Reading Recent Settlement Highlights Cybersecurity Whistleblower Risk for Government Contractors

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.” The FCC Order targets so-called “gateway providers,” which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream. Among other things, the Order

National Security Presidential Memorandum-33 requires federal agencies to impose disclosure and security requirements as part of research and development grant programs.

Academic and research institutions will be subject to standardized and enhanced disclosure obligations at the institutional and individual levels. Major institutions will also have to implement security programs with elements including cybersecurity and insider

New cybersecurity developments and observations, including those relating to U.S. Department of Labor review of cybersecurity issues, warrant prompt consideration by plan fiduciaries, including those plans covered by HIPAA.

The following update includes recommendations to help ERISA retirement and health and welfare plan sponsors and responsible fiduciaries protect benefit plans and participants against cybersecurity risks

The U.S. Securities and Exchange Commission proposed rules that will require public disclosure not only of cybersecurity incidents, but also of aspects of public companies’ preparedness for cyber threats. The proposed rules set a short time frame for reporting “material” compromises, and the rules do not provide for delayed disclosure at the request of law

China’s internet watchdog, the Cyberspace Administration of China, has continued to tighten its regulation of internet industries and driven the formulation of many new laws and regulations in cybersecurity and data protection in China.

On March 17, 2022, the CAC reported to the public its campaign’s achievements. These achievements showcased the determination of regulators to

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This follows increased reporting of cyber threats facing critical infrastructure sectors, particularly the energy sector. The regulations implementing the reporting requirements may be several years away, but overlap with other new reporting requirements such as the

In rapid succession, the following occurred:

Congress enacted new cybersecurity requirements for critical infrastructure.
U.S. Securities and Exchange Commission proposed a new cybersecurity rule.
U.S. Department of Justice unsealed indictments of Russian cyber operatives targeting the U.S. energy sector.
Federal Bureau of Investigation and the U.S. Department of Homeland Security pushed out new cybersecurity advisories.

On February 25, 2022, the Utah Senate unanimously (28-0) passed Senate Bill 227, also known as the Utah Consumer Privacy Act (Privacy Act). The 2022 session adjourned on March 4, and Utah Governor Spencer Cox has 20 days from that date to either sign (or not sign) the bill, after which it becomes law, or veto the bill, in which case it does not become a law unless the legislature overrides the governor’s veto. The Privacy Act would become the fourth comprehensive state consumer privacy law in the United States.
Continue Reading Utah Consumer Privacy Act on the Horizon