Photo of Edward McNicholas

On April 8, 2022, the U.S. Food and Drug Administration (“FDA”) released a draft guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The draft guidance, if finalized, would replace FDA’s 2014 final guidance document titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” adding significant

Data, privacy & cybersecurity partners Ed McNicholas and Fran Faircloth and counsel Kevin Angle authored a chapter in Chambers Global Practice Guide Cybersecurity 2022 on “USA Law & Practice and Trends & Developments.” The chapter provides an overview of cybersecurity regulation in the United States and provides insights on the multitude of cybersecurity

On March 15, 2022, President Biden signed into law significant new federal data breach reporting legislation that could vastly expand data breach notice requirements far beyond regulated entities or entities processing personal data. Unceremoniously tucked as Division Y into the H.R. 2471 Consolidated Appropriations Act, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect

Anxiety is running high as a result of Russia’s invasion of Ukraine, particularly in cybersecurity circles. The 2017 NotPetya attack was a Russian cyber-weapon fired at the Ukraine.  In 2017, NotPetya spread to FedEx, Maersk, Merck, and several other companies, and it would be naïve not to expect a spillover from the 2022 attack.  Indeed, a barrage of similar “wipers” has already been fired in 2022, and reports are circulating that some computers in Lithuania have been impacted.

Many cyber-weapons are delivered through phishing attacks, and companies can take three important steps to help prevent these attacks:

  • Send out a training reminder to all employees about spotting and avoiding phish email that may carry the malware into your environment.
  • Recognize that training will not be enough; increase filtering for malicious messages.
  • Push for multi-factor authentication for remote access to email.


Continue Reading The Ukrainian Cybersecurity Spillover Problem

On February 9, 2022, the SEC published a release addressing Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Release”). The Release contained proposed new rules under the Advisers Act (Rules 206(4)-9 and 204-6) and the Investment Company Act of 1940 (Rule 38a-2) and amendments (collectively, the “Proposals”), which would require

In a recent article in Global Data Review, Ed McNicholas provided insights on a proposal by the Arizona legislature to ban tax-payer funded ransomware payments. The bill, recently introduced in the Arizona House of Representatives, would restrict public entities from paying ransoms demanded by hackers. A companion bill would require that cyber attacks be

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for

As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

A pair of government contract-related initiatives may mark a new path for federal cybersecurity efforts.  Past federal initiatives have attempted to use the enormous leverage of federal contract spending to incentivize contractors to protect governmental data, but 2021 saw the Biden Administration launch a significant two-pronged attack on the issue through a new Executive Order and a new civil fraud initiative at the Department of Justice.

Significantly, the Biden Administration’s approach of using an Executive Order to mandate cybersecurity requirements for government contractors and their vendors will affect a large portion of the U.S. economy, without the need for congressional action.  While an Executive Order cannot dictate cybersecurity measures for private companies, the Order does require stricter software security standards for vendors and publication of enhanced National Institute of Standards and Technology (NIST) guidelines that address supply chain security. These provisions would require all vendors who provide services to meet these standards before they could contract with federal agencies.

Continue Reading How FAR Can Raise the Cybersecurity Bar