Photo of Briana Fasone

On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0

Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.Continue Reading Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023

On November 1, 2023, New York Governor Kathy Hochul announced that the New York Department of Financial Services (“NYDFS”) finalized amendments to its Part 500 Cybersecurity Regulations (“Final Amendments”)—the first significant change to the regulations since their inception in March 2017. The Final Amendments generally track previous NYDFS proposed amendments—including the November 9, 2022 proposal that we covered here—with certain important changes.Continue Reading NYDFS Finalizes Significant Amendments to its Cybersecurity Regulations

Last week, Delaware Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”), the state’s new consumer privacy law that will become effective January 1, 2025. The First State is now the 12th state to fully enact a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Our previous posts on laws in those states can be found here. Though the DPDPA generally tracks consumer privacy laws in other states—particularly those in Colorado, Connecticut, and Oregon—it does contain nuances that organizations should note, particularly a lack of general exclusions for nonprofits and higher education institutions as well as a lower threshold for applicability.Continue Reading Delaware Becomes Twelfth State to Pass Consumer Privacy Law

Since 2000, technological advances have transformed how customers interact with financial institutions and how such firms store, process and protect personal information. The proliferation of large-scale hacks and data breaches throughout this time simultaneously demonstrated the difficulty of data protection given the ever-evolving nature of cybercrime. Despite these developments, the SEC has failed to update

Blackbeard may not be the first name that comes to mind when considering cybercrime, but prior international efforts to stop stateless rogue actors can point us toward the proper focus for cybersecurity—governments taking responsibility to solve a classic collective action problem by direct action, supporting existing industry defense measures, and leading multilateral cooperation efforts. This

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced proposed amendments to its Part 500 Cybersecurity Rules (“Proposed Amendments”), revising an initial set of draft amendments released in July 2022. While NYDFS may have relatively limited jurisdiction, its emphasis on rapid breach reporting and data governance have had considerable influence on other U.S. financial services regulators. The current Cybersecurity Rules impose a 72-hour reporting requirement for cybersecurity events, and the Proposed Amendments go farther, creating an additional 24-hour notification obligation in the event a ransomware payment is made. Additionally, the Proposed Amendments create new requirements for larger “Class A” companies, including a risk assessment by an external expert every three years and an independent audit of cybersecurity programs annually.Continue Reading NYDFS Proposes Significant Amendments to its Cybersecurity Rules

On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight

Banking organizations and their service providers are now subject to a tight 36-hour breach notification timeframe—the shortest timeline of any U.S. data breach notification law. Starting earlier this month, on May 1, covered banks and providers were required to be in full compliance with a new cyber incident notification rule (“Banking Rule”), issued by the Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Treasury Department’s Office of the Comptroller of the Currency (“OCC”) (“the Agencies”), mandating disclosure of triggering cybersecurity incidents (“notification incidents”) within 36 hours after an organization determines such an incident has occurred.

As we observed in a previous post, the Banking Rule, which became effective on April 1, comes at a time when cyberattacks are on the rise and when regulators have, in response to increasing cyber intrusions, enacted or proposed a series of stringent incident reporting requirements. In December 2021, the Federal Trade Commission (“FTC”) proposed an amendment to the recently updated Safeguards Rule that, if adopted, would require covered financial institutions to report to the FTC any security event involving the misuse of customer information of at least 1,000 consumers. Shortly thereafter, in February, the Securities and Exchange Commission (“SEC”) proposed extensive new rules for registered investment advisers and registered investment companies (“funds”) that would, among other things, require advisers to report “significant adviser cybersecurity incidents” and “significant fund cybersecurity incidents” to the SEC within 48 hours of concluding an incident occurred. A month later, the SEC followed up with proposed updates its public-company cybersecurity disclosure rules, which, if adopted, would compel issuers to file an amended Form 8-K within four business days after a triggering material cybersecurity incident took place.

Notably, the final Banking Rule, as well as the flurry of recently proposed cyber reporting regulations, surfaced against the backdrop of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which President Biden signed into law in March, that requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Critical Infrastructure Agency (CISA) within 72 hours. CIRCIA’s 72-hour timeframe is in line with the breach reporting timeline of the EU’s Global Data Protection Regulation (“GDPR”) and the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, which applies to certain insurance and other financial services companies licensed in New York.Continue Reading Banks Must Comply with 36-Hour Notification Rule for Certain Cyber Incidents