Regulatory Playbook | Pillsbury Law | Cybersecurity, Privacy & Data Protection | Insights
Regulatory Playbook
Inside analysis direct from Washington, DC
This links to the home page

Cybersecurity, Privacy & Data Protection

  • DHS to Boost State and Local Cybersecurity Programs with $1 Billion in Grant Funding
    09.27/Alert | dhs-state-local-cybersecurity-programs-grants

    On September 16, 2022, the Department of Homeland Security (DHS) announced a Notice of Funding Opportunity (Notice) for a “first-of its-kind” program providing cybersecurity grants for state, local and territorial governments across the country through the State and Local Cybersecurity Grant Program (SLCGP). The agency is poised to provide similar assistance to tribal governments through the Tribal Cybersecurity Grant Program (TCGP), which is expected to be announced in the coming months.

  • China Passes Long-Awaited Measures on Security Assessment for Data Export

    On July 7, 2022, the Cyberspace Administration of China (CAC) of the People’s Republic of China (PRC or China) released the final version of the long-awaited Measures on Security Assessment for Data Export (Measures, “《数据出境安全评估办法》” in Chinese). The Measures specify the thresholds of data and information, the export of which is subject to CAC’s security assessment.

  • Landmark Federal Privacy Bill Clears First Congressional Hurdle

    In early June, Rep. Frank Pallone (D-NJ-6) and Rep. Cathy McMorris Rodgers (R-WA-5), the Chair and Ranking Member of the House Energy & Commerce Committee, along with Senator Roger Wicker (R-MS), Ranking Member of the Senate Science, Commerce & Transportation Committee, unveiled a draft federal privacy bill known as the “American Data Privacy and Protection Act.” The proposal—the first to garner bipartisan, bicameral support in Congress—would establish a national framework to protect consumer data privacy and security and bolster individual privacy rights.

  • Contractor Settles Cybersecurity-Related False Claims Act Suit for $9 Million

    A seven-year long False Claims Act suit comes to an end after Aerojet Rocketdyne reaches a $9 million settlement agreement for its alleged false certification of compliance with cybersecurity requirements.

  • DoD Increases Focus on Cybersecurity Compliance

    A recent DoD memorandum should serve as a warning to contractors that they need to focus on cybersecurity compliance now or risk serious consequences.

  • Staff Accounting Bulletin No. 121: Guidance for Entities Safeguarding Crypto-Assets Issued

    On March 31, 2022, the Division of Corporation Finance and the Office of the Chief Accountant (staff) of the U.S. Securities and Exchange Commission (SEC) issued Staff Accounting Bulletin No. 121 (SAB 121), which “adds interpretive guidance for entities to consider when they have obligations to safeguard crypto-assets held for their platform users.”

  • Bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 Signed into Law

    The new law arrives during a notably troublesome cybersecurity environment, in which the United States’ most crucial commercial sectors could be vulnerable to cyber intrusions and demands for ransomware payments.

  • Twelve Hours to Get It Right: The SEC Intensifies Its Focuses on Cybersecurity

    On the morning of May 24, 2019, a cybersecurity journalist notified First American Financial Corporation (First American) that one of its key applications had a serious vulnerability. First American, a publicly traded company that provides real estate settlement services, utilized the application Eagle Pro to share images of legal and financial documents used in real estate closings. According to an anonymous source, the vulnerability allowed unauthorized users to access over 800 million documents that had been shared with First American. Many of these documents contained sensitive data, such as social security numbers, financial records and driver’s licenses, which the journalist who published the article later that day described as “a virtual gold mine for phishers and scammers.”

  • DOJ Announces Civil Cyber-Fraud Initiative to Combat Cybersecurity Threats

    DOJ launches new initiative that promises to use the False Claims Act to combat cybersecurity threats by targeting government contractors who knowingly fail to comply with cybersecurity protocols.

  • Bipartisan Senators Introduce the Cyber Incident Notification Act of 2021

    On July 21, 2021, Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a bipartisan group of co-sponsors including Senator Marco Rubio (R-FL) and Senator Susan Collins (R-ME), formally introduced the Cyber Incident Notification Act of 2021. In light of high-profile cybersecurity incidents such as the Colonial Pipeline attack, the Act aims to require companies and federal agencies to quickly report cybersecurity intrusions to the Federal Government.

  • Colorado’s Emergent Consumer Privacy Bill Introduces Chance to Opt Out of Data Processing

    On June 8, 2021, the Colorado Senate passed SB 21-190, a comprehensive consumer privacy bill. Signed into law on July 7, 2021. the bill gives consumers the right to opt out of the processing of their personal data and to request that personal data be corrected or deleted.

  • China Publishes New Draft Regulations on Data Security Management of Automobile Operators to Protect Privacy

    On May 12, 2021, the Cyberspace Administration of China (CAC) published the Several Regulations on the Management of Automobile Data Security (Draft for Comment) (Draft Regulations). The Draft Regulations are open for public comment until June 11, 2021.  According to the CAC’s statement, due to growing concerns over personal data security and privacy protection in the People’s Republic of China (PRC), the Draft Regulations aim to strengthen protection of personal information and important data in automobile-related activities, as well as safeguard national security and the public interest. Below is our summary of the highlights of the Draft Regulations.

  • Cybersecurity Executive Order Will Impact Government Contractors

    President Biden’s new Executive Order to improve cybersecurity involves a particular focus on federal government and contractor systems.

  • COVID-19 Business Interruption Losses: Time is of the Essence to Pursue Coverage

    The United States declared a national emergency in response to COVID-19 on March 13, 2020, and states quickly followed with stay-at-home orders that impacted businesses and institutions nationwide. More than 10 months have passed since the COVID-19 pandemic emerged in the United States and the prevalence of the virus has had significant impacts, not only with respect to the number of people infected and lives lost, but also to the widespread physical damages and economic losses suffered by businesses.

  • Copyright Small-Claims Court Established by Congress in the CASE Act

    According to Register of Copyrights in its 2013 Report on Copyright Small Claims, “small claims issues are anything but small. On the contrary, they present a range of complex considerations, from constitutional constraints to procedural concerns to questions of what claims should be eligible for alternative treatment.” Before the recently enacted CASE Act, there had not been a small-claims court with jurisdiction to hear copyright claims.

  • Congressional and Government Investigations in 2021: What to Expect from the Biden-Harris Administration and How to Prepare

    Government investigations pose many risk management challenges. They are unpredictable, political and often public. If handled incorrectly, they can last for many years, spiral into multiple Congressional, criminal, and/or regulatory investigations at the state and federal levels, and generate serious reputational harm. Potential targets can take proactive steps to mitigate their risks.

  • China Publishes Import License List and Export Control List for Commercial Encryption

    One day after China’s new Export Control Law took effect, on December 2, 2020, China’s Ministry of Commerce (MOFCOM), the State Cryptography Administration (SCA) and the General Administration of Customs (GAC) jointly issued an Announcement on the Issuance of Import Licensing List, Export Control List and Related Administrative Measures for Commercial Encryption (Encryption Announcement) to restrict commercial encryption products and related technology. The Encryption Announcement takes effect on January 1, 2021, and includes: (1) a list of commercial encryption items subject to import licensing requirement (Encryption Import List); (2) a list of commercial encryption items subject to export control (Encryption Export List); and (3) procedures for the application of import and export licensing of commercial encryption (Encryption Licensing Procedures).

  • Cookies and Tracking Under Increased Scrutiny as Irish Data Regulator Issues New Enforcement Guidance

    Businesses tracking website visitors and customers via cookies and other techniques are reminded that this is an area of increased scrutiny and many prior practices won’t be acceptable. Regulators have signalled changes need to be made to comply and they will increase enforcement.

  • New York Expands Cybersecurity and Data Breach Law

    On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which broadens the scope of existing New York breach notification and data protection laws that trigger notification to affected consumers. The New York Attorney General will enforce the SHIELD Act (S.5575B/A.5635), which extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of whether the breached company conducts business in New York State. This provision could significantly extend the reach of those companies that will be subject to New York reporting requirements. The law also broadens the definition of breach, expanding a data breach to any situation involving unauthorized “access” to confidential information regardless of whether such data is “acquired.” The SHIELD Act does not create a private cause of action; however, the New York Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The SHIELD Act also expands the time period within which the New York Attorney General may bring an action from two to three years. Penalties for violation of the data breach provisions can be imposed in the amount of the greater or $5,000 or up to $20 per instance of a failed notification, up to $250,000. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.

  • Countdown to CCPA #2: GDPR Compliance Does Not Equal CCPA Compliance

    The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.1

  • Countdown to CCPA: Do You Know Where Your Data Is?

    It’s January 2, 2020, and you just received 25 requests asking for disclosure about your data collection, use and sharing practices and for a copy of the specific pieces of personal information you collected about the requesting individuals during the last 12 months. You have 45 days to respond. What do you do? Close down the business so you can find the information? By being prepared you can avoid a crisis.

  • The Deadline Looms for New York Cybersecurity Regulations Vendor Compliance Requirements

    Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.

  • Pillsbury's Post-Election Outlook

    The 2018 Midterm Election played out as most poll forecasters speculated. Although several races have yet to be decided, Republicans have retained control of the Senate, but lost at least 29 seats, allowing the Democrats to wrest back control of the House for the first time since 2010.

  • 2018 Election Night Guide

    Pillsbury’s Political Law and Public Policy groups break down the need-to-know numbers for this year’s election. Pillsbury’s biennial Election Night Guide examines the potential outcomes for the 2018 Congressional and Governor’s races. Our Public Policy team is also preparing a post-election guide that will be useful in navigating potential changes in Congress.

  • New EU Data Laws—What Nonprofit Organizations Need To Know

    Nonprofit organizations can often handle large amounts of data originating in the EU. Though it is a common misconception that nonprofits are exempt from GDPR compliance, the fact is they are not.

  • Blockchain and the Legal Landscape

    In this video, Pillsbury partner Mercedes Tunstall discusses some of the important legal issues to consider when exploring a blockchain solution.

  • Oh No, Mr. Robot Just Hacked Our Smart Building…

    Despite some very real-world examples, such as a 2017 breach of Dallas' emergency siren system, there seems to be little recognition of the security risk that connected buildings and smart cities entail.

  • Top Ten Emerging Trends in Pay Ratio Disclosure

    Preliminary trends are emerging from the pay ratio disclosures filed by U.S. public companies in 2018.

  • Court of Appeals Rolls Back Portions of the FCC’s 2015 Robocall and Text Ruling

    A recent Court of Appeals decision will rescind some aspects of the Telephone Consumer Protection Act and have significant implications for businesses contacting consumers by telephone or text.

  • Safety from Hackers—and Trial Lawyers

    A simple legislative fix would shield cybersecurity innovators from costly nuisance lawsuits.

  • European Businesses Offering Payment Services Told How to Manage Operational and Security Risks

    The European Banking Authority has unveiled nine operational and risk management guidelines with which all payment services providers are expected to comply.

  • December 31, 2017 Deadline for Cybersecurity under DFARS 252.204-7012 Re-Interpreted

    With the December 31 deadline for cybersecurity compliance just around the corner, the Department of Defense has clarified some of its expectations.

  • Time Is of the Essence: Multinational Companies Must Respond to Cyber Regulation

    Cyberinsurance could help mitigate risk for companies impacted by the new EU General Data Protection Regulation when it takes effect in May.

  • EU Data Transfer Solutions Under Further Judicial Scrutiny – What Next For Model Contract Clauses?

    Many organizations rely on MCCs to transfer personal data worldwide. That's why data exporters await an EU ruling on the issue with bated breath.

  • The ICO’s Draft Guidance Leaves Unanswered Questions on Processor Obligation to Notify Infringing Instructions

    One GDPR requirement has been a particular source of angst for commercial and data protection professionals--especially those acting for processors and sub-processors.

  • Cyberattacks Are the New Norm

    Attorneys general are increasingly launching investigations and filing lawsuits against companies whose customer databases have been stolen. Because of the significant possibility of government action, companies should fully understand their liability insurance policies, obligations and risks.

  • Disclose or Else: FTC Steps Up Prosecution of Social Media Influencers

    In September 2017, the Federal Trade Commission brought its first-ever action against a social media influencer for failing to make appropriate disclosures on sponsored posts. Going forward, anyone who posts sponsored material or even tags a brand in a post should seriously consider the possibility of FTC prosecution.

  • The Internet Stole My Face: New Advances in Technology Could Make Everyone a Digital Video Puppet

    Visual effects artists can create realistic digital replicas of actors that can be manipulated like puppets, and new developments in software technology could soon make digital puppetry accessible to the masses. Protections against unauthorized use of digital replicas can involve copyright or traditional tort claims, but if this technology continues to spread, the difficulty in controlling one’s own likeness will probably increase.

  • Keeping up with Cayla: Concerns over Interactive Toys Spur an FTC Update of COPPA Guidelines

    Consumer groups have filed a complaint alleging that My Friend Cayla, an internet-connected doll, violates the Children’s Online Privacy Protection Act (COPPA) by facilitating the collection of children’s communications and uploading them for commercial use without verifiable parental consent. The Federal Trade Commission’s June 2017 update to COPPA added internet-connected toys, children’s products that collect personal information, and voice-activated devices to the products and services covered.

  • Executive Order on Cybersecurity: Considerations for Business

    The long-awaited Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure represents the Trump Administration’s first significant action to support cybersecurity and protect critical infrastructure, and the initial days after its release generated a flurry of questions on the specifics of the White House’s cyber agenda.

  • With GDPR, Companies Must Act Now

    Pillsbury’s European Data Privacy & Cybersecurity practice leader Rafi Azim-Khan talks to Bloomberg BNA about the global impact of the EU General Data Protection Regulation. The interview explores expanded monetary risk and accountability under the GDPR, and what companies should—and should not—do to become GDPR-ready.

  • Don’t Rock the Vote: Helping State and Local Governments Fend Off Cyber Attacks

    Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks.

  • Managing the Cybersecurity Risks of the Medical Internet of Things

    The cybersecurity ramifications of the Internet of Things (IoT) are perhaps nowhere more crucial--potentially a matter of life and death, in fact--than in the realm of medical devices. Until recent times, a potential hack of the data-sharing that is a hallmark of the IoT raised far more privacy concerns than actual health risks. However, as medical devices begin to evolve and make use of the connectivity of the IoT, this balance may change.