The FTC has announced additional time for financial institutions to comply with new Safeguards Rule changes. In response to personnel shortages and supply chain issues, the new deadline is June 9, 2023: What provisions are included in the six-month extension? Consult the Federal Register Notice for details, but the extension applies to provisions in the revised Rule that require covered companies to:… Read More
Today, the FFIEC issued an update to its October 2018 Cybersecurity Resource Guide. https://www.ffiec.gov/press/pdf/FFIECCybersecurityResourceGuide2022ApprovedRev.pdf The updated resource guide now includes ransomware-specific resources to address the ongoing threat of ransomware incidents. Read More
The Conference of State Bank Supervisors recently released new tools for nonbank financial services companies to improve their cybersecurity posture. The CSBS - Baseline Nonbank Exam Program V1.0 and the CSBS - Enhanced Nonbank Exam Program V1.0 are tools used by state examiners nationwide to assess the cyber preparedness of nonbank entities, and provides these institutions the ability to improve their… Read More
The FTC announced an advanced notice of proposed rulemaking on commercial surveillance and security. “Commercial surveillance” is defined as the business of collecting, analyzing and profiting from consumer data. The FTC seeks public comment on implementation of new rules on how businesses "(1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or… Read More
On August 11, 2022, the CFPB issued a circular on data security and the question "[c]an entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?" The short answer is "yes." The CFPB highlights specific security measures to minimize risk. In line with the new… Read More
In United States v. Thompson, No. CR19-159-RSL, 2022 U.S. Dist. LEXIS 101558, at *3-7 (W.D. Wash. June 7, 2022), Judge Lasnik denied the Government's Motion in Limine to exclude evidence regarding cyber-security vulnerabilities at the corporate victim or other victim entities that are unrelated to the specific vulnerability that defendant allegedly exploited in the case at hand The government moves… Read More
On March 9, the SEC proposed Cybersecurity rules for public companies that if adopted, would impose substantial new reporting obligations for material cybersecurity incidents and cybersecurity risk management, strategy, and governance. A copy of the proposed Rules can be found at https://www.sec.gov/rules/proposed/2022/33-11038.pdf Read More
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory yesterday, alerting companies who engage with victims of ransomware attacks of potential sanctions risks for facilitating ransomware payments. This advisory highlights OFAC’s designations of malicious cyber actors and those who facilitate ransomware transactions under its cyber-related sanctions program. It identifies U.S. government resources for reporting… Read More
The CCPA went live on January 1, 2020, creating a cause of action and potential liability of between $100 to $750 per person for a data breach deriving from a business' failure to maintain reasonable policies and procedures. Unfortunately, the CCPA does not define the term "reasonable". While compliance lawyers and consultants properly have been advising their clients to shore… Read More
