On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) released a joint guide synthesizing best practices to prevent and respond to ransomware. This guide was published the day before OFAC and FinCEN released their coordinated guidance on ransomware attacks that we previously summarized here. … Continue Reading
Consistent with the U.S. Department of the Treasury’s ongoing focus on cyber-enabled financial crime, on October 1, 2020, two components of the Treasury Department’s Office of Terrorism and Financial Intelligence issued guidance on ransomware-related payments. One, an advisory issued by the Office of Foreign Assets Control (“OFAC”), describes the significant U.S. sanctions risks of facilitating … Continue Reading
In this edition of our regular roundup on legislative initiatives related to artificial intelligence (AI), cybersecurity, the Internet of Things (IoT), and connected and autonomous vehicles (CAVs), we focus on key developments in the European Union (EU).… Continue Reading
In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources. The Commission also issued a staff paper that suggests a framework for providing … Continue Reading
On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12. The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee. The judgment is significant in that it overturned the decisions of the two lower … Continue Reading
In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory … Continue Reading
On March 21, 2020, the data security requirements of the New York SHIELD Act became effective. The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws. Its two main impacts on businesses are: expanding data breach notification requirements under New York law; and … Continue Reading
Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19. But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts. … Continue Reading
Last Friday, the Department of Defense announced the release of Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”), which sets forth the cybersecurity requirements that contractors and suppliers must meet to participate in the Department’s supply chain. A new post on Covington’s Inside Government Contracts blog discusses the release of Version 1.0 of the … Continue Reading
On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment. (An official Chinese version is available here). The comment period ends on December 19, 2019. The release of the Draft Measures marks an important step forward in implementing Article … Continue Reading
Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses. The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices. While not binding requirements, the … Continue Reading
Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws. Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined … Continue Reading
On July 25, New York Governor Andrew Cuomo signed two data security and breach notification bills into law. The first bill, the “Stop Hacks and Improve Electronic Data Security Act” or “SHIELD Act,” will impose specific data security requirements on businesses that own or license private information of New York residents, in addition to amending … Continue Reading
On July 5, 2019, China’s Standing Committee of the National People’s Congress (NPC) published a new draft Encryption Law (“the draft Law”) for public comment. The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime. The State Cryptography Administration (“SCA”) previously issued an initial draft of this law … Continue Reading
On May 24, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures on Cybersecurity Review (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here). The comment period ends on June 24, 2019. The publication of these Draft Measures … Continue Reading
On May 13, 2019, China’s State Administration for Market Regulation (“SAMR”) released three core national standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must follow when complying with MLPS-related obligations under the Cybersecurity Law (“CSL”). These standards, which are commonly referred to as the “MLPS 2.0 … Continue Reading
On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”). A previous version of the Guideline was released for public comments on November 30, 2018. Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting … Continue Reading
On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”). To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General … Continue Reading
On March 15, 2019, the State Administration for Market Regulation and the Cyberspace Administration of China (“CAC”) jointly issued the Announcement on the Implementation of App Security Certification (the “Announcement”), creating a voluntary (but state-sanctioned) security certification scheme for mobile applications (“Security Certification Scheme”). Operators of mobile applications are encouraged to obtain this certification to … Continue Reading
Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here). In addition to reinforcing the mandate of ENISA — now to … Continue Reading
On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up … Continue Reading
Hospitals and other health care organizations are attractive targets for cyber-attacks, in part because their databases contain medical records and other sensitive information. Breaches of this information could have very serious implications for patients. Moreover, electronics connected to a health care facility’s network keep people alive, distribute medicines, and monitor vital signs. As a result, … Continue Reading
The Governor of Massachusetts recently signed House Bill No. 4806 into law, which will amend certain provisions of the state’s data breach notification law. In addition to changing the information that must be included in notifications to regulators and individuals, the amendments will also require entities to provide eighteen months of free credit monitoring services … Continue Reading
Recent years have seen significant amounts of legislative activity related to state data breach notification laws, and 2018 was no exception. Not only did South Dakota and Alabama enact new data breach notification laws in 2018, becoming the last of 50 U.S. states to enact such laws, but other states also enacted changes to existing … Continue Reading
