The U.S. Securities and Exchange Commission proposed rules that will require public disclosure not only of cybersecurity incidents, but also of aspects of public companies’ preparedness for cyber threats. The proposed rules set a short time frame for reporting “material” compromises, and the rules do not provide for delayed disclosure at the request of law enforcement or other investigators.

The comment period for the proposed rules ends on May 9, 2022.

Read More

Federal Trade Commission Chair Lina Khan made her first speech about privacy at the opening of this year’s International Association of Privacy Professionals conference. She noted ways the FTC is using its resources to “rein in” what she called “surveillance-based business models.”

Read More

China’s internet watchdog, the Cyberspace Administration of China, has continued to tighten its regulation of internet industries and driven the formulation of many new laws and regulations in cybersecurity and data protection in China.

On March 17, 2022, the CAC reported to the public its campaign’s achievements. These achievements showcased the determination of regulators to clean up improper activity on the internet and will serve as a deterrent to future inappropriate action, as well as guidance for proper conduct.

Read More

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This follows increased reporting of cyber threats facing critical infrastructure sectors, particularly the energy sector. The regulations implementing the reporting requirements may be several years away, but overlap with other new reporting requirements such as the recently proposed U.S. Securities and Exchange Commission rules.

Given the heightened threat environment and forthcoming reporting requirements, companies may want to understand the new rules and evaluate their cybersecurity posture.

Read More

A new U.S. Supreme Court decision holds that federal courts cannot enforce or vacate arbitration awards under Sections 9 and 10 of the Federal Arbitration Act unless they have an independent jurisdictional basis to consider the case.

Previously, many federal courts would “look through” an arbitration enforcement action to the subject of the underlying dispute when determining jurisdiction to enforce or vacate. However, the Supreme Court decided that an action to enforce an arbitral award is essentially a contractual interpretation case that belongs in state court, absent diversity of citizenship jurisdiction under 28 U.S.C. § 1332(a). As a result, most actions to enforce or vacate arbitration awards now must be brought in state courts.

Read More

In the latest in a series of setbacks for employers facing claims under the Illinois Biometric Information Privacy Act, the Supreme Court of Illinois held last month that the Illinois Workers’ Compensation Act does not preempt BIPA claims for statutory damages brought by employees. The decision in McDonald v. Symphony Bronzeville Park, LLC, et al. has triggered the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois high court considered the case, and will likely encourage even more lawsuits from current and former Illinois employees.

Read More

Companies doing business in the United States should start preparing for the Utah Consumer Privacy Act, which was signed into law on March 24, 2022, and will go into effect on December 31, 2023. The law is more business-friendly than existing omnibus state privacy laws, in that it generally provides fewer consumer rights and company obligations. This update describes the law’s key features and how to prepare for compliance.

Read More

In rapid succession, the following occurred:

Congress enacted new cybersecurity requirements for critical infrastructure.
U.S. Securities and Exchange Commission proposed a new cybersecurity rule.
U.S. Department of Justice unsealed indictments of Russian cyber operatives targeting the U.S. energy sector.
Federal Bureau of Investigation and the U.S. Department of Homeland Security pushed out new cybersecurity advisories.
This update summarizes the threats that the indictments described and sets the stage for new security and incident response requirements.

Read More

On February 25, 2022, the Utah Senate unanimously (28-0) passed Senate Bill 227, also known as the Utah Consumer Privacy Act (Privacy Act). The 2022 session adjourned on March 4, and Utah Governor Spencer Cox has 20 days from that date to either sign (or not sign) the bill, after which it becomes law, or veto the bill, in which case it does not become a law unless the legislature overrides the governor’s veto. The Privacy Act would become the fourth comprehensive state consumer privacy law in the United States. Continue Reading Utah Consumer Privacy Act on the Horizon

The U.S. Federal Communications Commission is seeking public comment on vulnerabilities that threaten the security and integrity of the Border Gateway Protocol, which is central to the internet’s global routing system. The BGP’s design is widely deployed and lacks security features to ensure trust in the information being exchanged.

The FCC seeks comment on how the agency can help strengthen the nation’s communications network and related critical infrastructure, and it represents the first major cybersecurity-related action taken by the FCC in the wake of Russia’s escalating military campaign in Ukraine.

Read More