On March 1, 2022, the U.S. Senate passed by unanimous consent a package of three cybersecurity bills, known collectively as the Strengthening American Cybersecurity Act, which would enhance reporting requirements for certain major cyber incidents and ransomware attacks. Senators Gary Peters and Rob Portman, who co-sponsored the Act, expressed the urgency of enhancing the nation’s cyber readiness “in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.”[i]
Continue Reading U.S. Senate Fast Tracks Major Cybersecurity Legislation in Response to Russia Threat
SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context
On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts. Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars.
Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context
Data Breach Class Action Against Bonobos Dismissed For Lack of Standing
On January 19, 2022, District Judge Jesse M. Furman of the Southern District of New York dismissed a putative class action filed against men’s clothing store Bonobos, Inc., following an August 2020 data breach. Judge Furman determined that a Bonobos customer whose personal information was stolen in the breach failed to demonstrate a sufficiently substantial risk of harm to establish standing to sue.
The decision in Cooper v. Bonobos reflects the increased uncertainty regarding the viability of suits for damages based solely on future risk of identity theft or fraud, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez.
Continue Reading Data Breach Class Action Against Bonobos Dismissed For Lack of Standing
Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
A 2021 survey of chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses face today. This should not come as a surprise as 2021 brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets.
Continue Reading Cybersecurity: Data Breaches, Ransomware Attacks and Increased Regulatory Focus
The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks
On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system.[1] The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk. It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets.
Continue Reading The Office of the Comptroller of the Currency Warns of Increasingly Complex Cyber Risks for Banks
Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements
On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1] The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Continue Reading Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements
The Centennial State Claims a New Number: Colorado to Become Third State in the U.S. to Enact Comprehensive “Privacy Act”
Colorado is set to become the third state in the nation to enact comprehensive privacy legislation with the passing of SB 21-190, more commonly known as the Colorado Privacy Act (“ColoPA” or the “Act”). Governor Jared Polis is expected to sign the ColoPA into law in the coming days, after which
Second Circuit Articulates Injury Standard in Data Breach Suits
Last week, the Second Circuit affirmed the dismissal for lack of Article III standing a proposed class action against a health services provider that mistakenly disclosed personally identifiable information (“PII”). In its opinion, the Second Circuit held that plaintiffs may establish Article III standing based on an increased risk of identity theft or fraud following an unauthorized disclosure of their data, but that the standard was not met based on the facts presented. The decision, which is the first time the Second Circuit has explicitly adopted this standard, has potentially important implications going forward for data breach cases.
Continue Reading Second Circuit Articulates Injury Standard in Data Breach Suits
FTC to Corporate Boards: Mind Your Data Security
On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected. The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”
By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct. The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.Continue Reading FTC to Corporate Boards: Mind Your Data Security
The “New” Dominion of Privacy Law: Virginia Becomes Second State to Pass Comprehensive Consumer Data Privacy Act
Last month, the Virginia Consumer Data Protection Act was signed into law, making Virginia the second state in the nation to enact comprehensive data privacy legislation. The Act resembles and adopts some terms from the California Consumer Privacy Act (“CCPA”); the California Privacy Rights Act of 2020, which amends and expands the CCPA; and the