Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

What’s Happening?

Under the Department of Justice’s (DOJ) “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” rules (the Rules), allowing access outside the United States to certain types of sensitive personal data involving “countries of concern” may be restricted or prohibited beginning on April 8.  See our previous advisory for more detail.

Dear Mary,

Our company experienced a cybersecurity incident. It seemed pretty minor — just a few suspicious emails and an employee’s account being locked. To my dismay, we’re now hearing from our IT team that the issue is more serious. We have cyber insurance, but we didn’t notify our carrier right away. Did we make a mistake? When should I reach out to our insurance provider?

– Unsure Insured of San Francisco

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Published in Law360 on January 22, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

In the first installment of this two-part article, state attorneys general across the U.S. took bold action in 2024 to address what they perceived as unlawful activities by corporations in several areas, including privacy and data security, financial transparency, children’s internet safety, and other overall consumer protection claims.

On January 6, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published significant proposed amendments (proposed rule) to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Key drivers for the proposed rule include the dramatic increase in cyberattacks, including ransomware, the rapid adoption of cloud computing, mobile devices, and other technologies, and inconsistent compliance with the existing Security Rule identified by the OCR’s investigations.

On November 21, the Supreme Court of Virginia entered a published order reversing a 14-3 en banc decision of the Court of Appeals of Virginia addressing the applicability of Virginia’s criminal laws regulating cybercrime. The decision in Commonwealth v. Wallace is the latest example of courts testing regulatory reach in the cybercrime arena.

New York Attorney General (AG) Letitia James and global movie theater operator National Amusements, Inc. (National) settled a lawsuit stemming from a 2022 data breach reported by National, which affected 82,128 National employees. As part of its settlement, National agreed to pay $250,000 in penalties to the state and to “improve existing cybersecurity infrastructure to prevent future data breaches.”

1. The Real Risk of Cybersecurity: Choosing to be Unaware

Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.