On Thursday, May 11, 2023, the Federal Trade Commission hosted a panel to discuss questions relating to the cloud computing industry. As we’ve previously covered, the FTC is currently seeking public comment as part of a Request for Information regarding cloud computing business practices. In part, the goal of the panel was to identify issues the FTC should explore in its RFI.

Continue Reading FTC Hosts Panel Regarding Cloud Computing Business Practices

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

Regarding data security, the request for information seeks to gain insight on cloud computing against the backdrop of FTC guidance to businesses on steps to secure and protect data stored in the cloud. This request comes amid recent FTC enforcement matters (such as against education technology provider Chegg) alleging failure to adequately secure data stored on third-party cloud computing services.

Continue Reading FTC Requests Comments on Cloud Computing Business Practices With Potential Data Security Impacts

Critical infrastructure companies should expect substantial new federal cybersecurity requirements based on the National Cybersecurity Strategy that President Biden announced on March 2, 2023. The Strategy includes enhanced requirements for critical infrastructure. Specifically, President Biden pivoted federal cybersecurity policy from encouraging voluntary adoption of proactive security measures to using regulation and other measures to mandate

Utah state lawmakers are poised to change how (and when) minors who reside in Utah can use social media. Introduced in January, S.B. 152 and H.B. 311 recently cleared the Utah legislature and both bills have been sent to Governor Spencer Cox, who dismissed industry concerns that the bills would pose privacy risks, impede minors’ independence, and violate the First Amendment. If signed, the bills would go into effect on March 1, 2024.

Continue Reading Utah Legislature Approves Social Media Restrictions for Minors

The Federal Energy Regulatory Commission has published a final rule calling for the North American Electric Reliability Corporation to develop standards for internal network cybersecurity monitoring. This rule will be required for all high-impact bulk electric systems and medium-impact bulk electric systems with external roundtable activity and conduct a study of the security of other

The Biden Administration released its National Cybersecurity Strategy on March 1. The Strategy breaks with past precedent and emphasizes regulatory mandates and imposing liability, in addition to enhancing voluntary information sharing and development of best practices. The Strategy will particularly affect critical infrastructure and cloud service providers.

Click here to read the full Update.

Artificial Intelligence (AI) and automated systems can increase efficiency and help reduce human error. However, the National Institute of Standards and Technology (NIST), the White House, and the Equal Employment Opportunity Commission (EEOC) are warning companies that uncritical reliance on AI can have legal consequences, including potentially building in bias that can lead to claims

The Transportation Security Administration issued a new cybersecurity directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads. The requirements focus on performance-based measures to achieve critical cybersecurity outcomes in light of the growing sophistication of evolving threats.

The directive is effective as of October 24, 2023, and companies will need to

The recently announced disruption of the Hive ransomware network is a significant and welcome accomplishment. It cuts off bad actors from the gains they sought to extract from victims and makes their continued criminal activity more challenging. Raising the cost on malicious cyber actors is always a good way to deny them the inherent benefits of online crime, such as distance from target, anonymity, and freedom of operation.

Continue Reading Important Lessons from the Hive Ransomware Disruption

Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy. Traditionally, the U.S. Government’s approach has mostly focused on requiring companies to notify regulators and affected individuals of security breaches that implicate specific types of information, such as personally identifiable information, protected health information, and financial information. Federal efforts to prescribe or enforce proactive security measures have been sector-specific, such as the Transportation Security Administration’s Security Directives covering rail and pipeline owners and operators. Those measures have been spread among sector-specific agencies, which has resulted in multiple, and sometimes conflicting or confusing, requirements applying to some businesses. Federal law enforcement agencies have also made targeted and novel use of criminal search authorities to proactively remediate privately owned machines infected with malware by Russian and China-based actors.

Continue Reading Biden Administration Plans Mandatory Cybersecurity Regulations for Critical Infrastructure Companies