Today we continue our series (see here and here) with the Office of Management and Budget’s September 2022 memorandum requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the NIST. The new requirements will apply to any third-party software that is used on government information systems or that otherwise “affects” government information. You can read our article about the guidance here.
Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Three – Secure Software Development Attestation Requirements
Eye On Privacy
Timely Updates and Analysis on Privacy and Cybersecurity Issues
Latest from Eye On Privacy - Page 2
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Two – NIST SP 800-171, Revision 3
In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program. …
Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Two – NIST SP 800-171, Revision 3
2022 Privacy Year In Review
As we start down the path of 2023, with the pandemic not quite behind us and economic uncertainty looming, the world can seem unsettled. Some things do appear to be a constant. Included in those are regulatory and court scrutiny on privacy and cybersecurity. As companies’ privacy and security teams make plans for their 2023 compliance efforts, it can be helpful to look back at last year’s developments.
Continue Reading 2022 Privacy Year In Review
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part One – CMMC Developments
As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.
Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part One – CMMC Developments
CFPB Starts Year Seeking Comments on Proposals to Give Consumers Enhanced Control of Financial Data
Recently, the CFPB released an outline of proposed measures related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts that would allow consumers to take control of their personal financial data and determine which third parties could have access to such data. The CFPB is seeking comments on the rulemaking, by January 25, 2023.
Continue Reading CFPB Starts Year Seeking Comments on Proposals to Give Consumers Enhanced Control of Financial Data
New Draft Regulations for Colorado’s Privacy Law
The Colorado Attorney General recently released the second set of draft regulations to the Colorado Privacy Act (CPA). In this draft, the AG is seeking specific input on five different topics. There are also a number of changes to the first draft – some of which will be welcomed by businesses. Companies are reminded that the CPA goes into effect July 1, 2023.
Topics for Comment
In soliciting additional comments to the revised CPA regulations, the Colorado AG is seeking specific input on: (1) clarifications to definitions; (2) use of IP addresses to verify consumer requests; (3) a universal opt-out…
Continue Reading New Draft Regulations for Colorado’s Privacy Law
EU’s Initial Response to US Proposed Data Transfers Framework
The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program. …
Continue Reading EU’s Initial Response to US Proposed Data Transfers Framework
How To Handle CPRA Regulations Delay
As many are aware, the CPRA regulations are currently in draft status and may continue in that state until April, despite the law’s January 1 effective date. This could result in regulations being in final form after the July 1 date that the California Privacy Protection Agency (CPPPA) has signaled that it will begin enforcement. Last week, during a Dec. 16 CPPA board meeting, the agency’s executive director indicated that the final rules will likely be released at the end of January. Although there will then be a comment period, the director indicated that the agency does not currently…
Continue Reading How To Handle CPRA Regulations Delay
Illinois Appellate Court Weighs in on Biometric Data Policies
An Illinois state appellate court’s recent ruling will impact how companies consider compliance with Illinois’ Biometric Information Privacy Act (BIPA). That court ruled companies must have a BIPA-compliant written retention-and-destruction policy in place before collecting and possessing biometric data. The decision makes clear that mere possession of biometric data triggers the duty to develop the necessary written BIPA policy. In relevant part, under BIPA’s section 15(a), companies must establish a written, publicly-available policy that governs their retention and destruction of biometric data.
Continue Reading Illinois Appellate Court Weighs in on Biometric Data Policies
FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps
The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its “Mobile Health App Interactive Tool”.
Continue Reading FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps
Pennsylvania Amends Breach Notification Law
Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has also changed. The amendments will not be effective until May 2, 2023.
Continue Reading Pennsylvania Amends Breach Notification Law
Lessons From New York AG Scrutiny of Breach Investigation and Response
New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.
Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response
White House Releases Guidance on AI
The White House recently released its Blueprint for an AI Bill of Rights in an effort to guide the discussion on the design, use and deployment of AI in systems that impact the American public. The Blueprint outlines the following five guiding principles:…
Continue Reading White House Releases Guidance on AI
FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry
In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.
Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry
White House Aims for Spring 2023 Rollout of Internet of Things Labeling Program
The White House recently hosted a group of industry and government partners to discuss the development and implementation of an Internet of Things (IoT) labeling program. This program would develop a common label to help consumers easily recognize which devices meet the highest cybersecurity standards to protect against vulnerabilities. …
Continue Reading White House Aims for Spring 2023 Rollout of Internet of Things Labeling Program