On July 26, 2023, the U.S. Securities and Exchange Commission (the “SEC” or “Commission”) adopted rules to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance.
Recent Developments In Data Privacy Enforcement In Brazil And A Comparison With The U.S. Regime
The Brazilian General Data Protection Law (the “LGPD”—Lei Geral de Proteção de Dados)[1] came into effect in September 2020. Given the LGPD’s relatively recent adoption, there has been uncertainty surrounding how public authorities and courts in Brazil will interpret and apply the law. On February 27, 2023, the Brazilian national data protection authority (the “ANPD” Autoridade Nacional de Proteção de Dados) addressed some of this uncertainty when it issued sanctioning guidelines for the LGPD (the “Sanctioning Guidelines”).[2] The Sanctioning Guidelines offer insight into the types of sanctions companies may face and the factors the ANDP will consider when imposing such sanctions.
SEC Charges Public Company For Alleged Misleading Disclosures Surrounding Ransomware Attack
On March 9, 2023, the Securities and Exchange Commission (“SEC”) brought an enforcement action against a public company, Blackbaud Inc. (“Blackbaud” or the “Company”), alleging that it had made misleading disclosures about a 2020 ransomware attack.[1] This is the fourth SEC settled enforcement action concerning disclosures following a cyberattack.[2] This development highlights increased regulatory scrutiny that public companies face related to cyberattacks and serves as a potential prelude to the SEC’s aggressiveness in enforcing its upcoming revised rules on cybersecurity incident disclosures.
Cybersecurity: Continued Cyberattacks and New Regulations Result in Increased Risk
The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2023”.
In a recent survey of almost 2,800 global organizations, one in five respondents reported experiencing a ransomware attack in 2021—with almost half of those respondents suffering significant operational impacts as a result.
Cyber Incident Reporting for Critical Infrastructure Act Signed Into Law
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which imposes federal reporting requirements for cyber incidents and ransomware attack payments. The legislation will require covered critical infrastructure entities to report to the Cybersecurity and Infrastructure Security Agency within 72 hours of forming a
U.S. Senate Fast Tracks Major Cybersecurity Legislation in Response to Russia Threat
On March 1, 2022, the U.S. Senate passed by unanimous consent a package of three cybersecurity bills, known collectively as the Strengthening American Cybersecurity Act, which would enhance reporting requirements for certain major cyber incidents and ransomware attacks. Senators Gary Peters and Rob Portman, who co-sponsored the Act, expressed the urgency of enhancing the nation’s cyber readiness “in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.”[i]
Continue Reading U.S. Senate Fast Tracks Major Cybersecurity Legislation in Response to Russia Threat
Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
The Federal Trade Commission Warns Companies to Remediate the “Log4j” Software Security Vulnerability
On January 4, 2022, the Federal Trade Commission (FTC) issued a clear warning to companies to remediate any software vulnerabilities associated with the Java-based Log4j software. A critical security flaw was identified in Log4j, which is embedded in major software applications and is widely used by businesses in all sectors of the economy, this past December. The security flaw potentially allows bad actors to gain unfettered access to affected computer systems and to any sensitive information they contain.
The FTC, which increasingly prioritizes privacy and data security enforcement, stressed that companies have a legal duty to mitigate known software vulnerabilities—including Log4j—that risk harm to consumers and may face legal action from the FTC if they fail to do so.
The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks
On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system.[1] The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk. It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets.
Continue Reading The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks
The Centennial State Claims a New Number: Colorado to Become Third State in the U.S. to Enact Comprehensive “Privacy Act”
Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which