Utah state lawmakers are poised to change how (and when) minors who reside in Utah can use social media. Introduced in January, S.B. 152 and H.B. 311 recently cleared the Utah legislature and both bills have been sent to Governor Spencer Cox, who dismissed industry concerns that the bills would pose privacy risks, impede minors’ independence, and violate the First Amendment. If signed, the bills would go into effect on March 1, 2024.Continue Reading Utah Legislature Approves Social Media Restrictions for Minors

The Federal Energy Regulatory Commission has published a final rule calling for the North American Electric Reliability Corporation to develop standards for internal network cybersecurity monitoring. This rule will be required for all high-impact bulk electric systems and medium-impact bulk electric systems with external roundtable activity and conduct a study of the security of other

The Biden Administration released its National Cybersecurity Strategy on March 1. The Strategy breaks with past precedent and emphasizes regulatory mandates and imposing liability, in addition to enhancing voluntary information sharing and development of best practices. The Strategy will particularly affect critical infrastructure and cloud service providers.

Click here to read the full Update.

Artificial Intelligence (AI) and automated systems can increase efficiency and help reduce human error. However, the National Institute of Standards and Technology (NIST), the White House, and the Equal Employment Opportunity Commission (EEOC) are warning companies that uncritical reliance on AI can have legal consequences, including potentially building in bias that can lead to claims

The Transportation Security Administration issued a new cybersecurity directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads. The requirements focus on performance-based measures to achieve critical cybersecurity outcomes in light of the growing sophistication of evolving threats.

The directive is effective as of October 24, 2023, and companies will need to

The recently announced disruption of the Hive ransomware network is a significant and welcome accomplishment. It cuts off bad actors from the gains they sought to extract from victims and makes their continued criminal activity more challenging. Raising the cost on malicious cyber actors is always a good way to deny them the inherent benefits of online crime, such as distance from target, anonymity, and freedom of operation.Continue Reading Important Lessons from the Hive Ransomware Disruption

Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy. Traditionally, the U.S. Government’s approach has mostly focused on requiring companies to notify regulators and affected individuals of security breaches that implicate specific types of information, such as personally identifiable information, protected health information, and financial information. Federal efforts to prescribe or enforce proactive security measures have been sector-specific, such as the Transportation Security Administration’s Security Directives covering rail and pipeline owners and operators. Those measures have been spread among sector-specific agencies, which has resulted in multiple, and sometimes conflicting or confusing, requirements applying to some businesses. Federal law enforcement agencies have also made targeted and novel use of criminal search authorities to proactively remediate privately owned machines infected with malware by Russian and China-based actors.Continue Reading Biden Administration Plans Mandatory Cybersecurity Regulations for Critical Infrastructure Companies

The Cybersecurity and Infrastructure Security Agency seeks public input on regulations that will set new mandatory cybersecurity reporting requirements for critical infrastructure companies. Open questions include the following:

  • Who will be subject to the new requirements?
  • What level of incident will trigger mandatory reporting?
  • How much follow-up reporting will be required?
  • What costs could potential

The U.S. Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative, announced last October, is designed to leverage existing whistleblower incentives for employees, or other persons with inside knowledge, to identify lapses in federal contractors’ cybersecurity and privacy practices. We gave that issue in-depth treatment here, with particular focus on the U.S. District Court for the Eastern District of California’s opinion in United States ex. rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 WL 297093 (E.D. Cal. Feb. 1, 2022), denying the defendant’s motions for summary judgment on a majority of the relator’s False Claims Act (FCA) claims.Continue Reading Recent Settlement Highlights Cybersecurity Whistleblower Risk for Government Contractors

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.” The FCC Order targets so-called “gateway providers,” which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream. Among other things, the Order