Cybersecurity Archives

In Cybersecurity

Prepping For the Holidays: Companies to Strengthen Cybersecurity Infrastructure in Compliance with Amendments To New York’s Cybersecurity Regulation

November 19, 2024 by Justine Phillips and Mercedes Subhani 4 Mins Read

In brief New York banks, lenders, companies, and service providers should note that on November 1, 2024, the amendments to the New York Department of Financial Services’ (“NYDFS'”) cybersecurity regulations took effect. The amendments widened the scope of “covered entities” to include any licensed financial institution company operating in New York regardless of whether it is already regulated by other government agencies. Additionally, the amendments require the regulated entities to significantly increase their proactive and…

In Data Privacy

A glimpse into the future of cross-border data regulation

November 8, 2024 by Brian Hengesbaugh and Elizabeth Denham CBE 7 Mins Read

This article was originally published by IAPP linked here. Recent global developments offer a glimpse into the future of cross-border data regulation. Historically, such regulations have focused on restrictions of cross-border transfers of personal data to achieve public policy goals on individual privacy rights. Today, cross-border data regulations are starting to cover a broader array of data, such as personal data, nonpersonal data and other company information, for a diversified range of public policy purposes…

In Cybersecurity

Saudi Arabia publishes guidance on data breach notification

October 30, 2024 by Abdulrahman AlAjlan, Dino Wilkinson, Zahi Y. Younes and Marilyn Acquah 5 Mins Read

In brief The Saudi Data and AI Authority (SDAIA) has published a procedural guide to data breach incidents, notification and response (“Guide”). The Guide supplements the existing notification obligations under the Saudi Personal Data Protection Law (PDPL) and provides organizations with guidance on the various stages of responding to a personal data breach incident. The Guide can be found here. In this article, we have summarized the key takeaways for organizations to consider when implementing response…

In Cybersecurity

United States: SolarWinds landmark ruling – Amid defense victories, questions remain on individual liability and material misstatements of fact

July 24, 2024 by Justine Phillips, Elizabeth Roper and Jerome Tomas 11 Mins Read

In brief In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public…

In Cybersecurity

United States: SEC clarifies cybersecurity incident reporting under Item 1.05 on Form 8-K

May 24, 2024 by Sali Wissa, Chris Bartoli, Brian Hengesbaugh, Jerome Tomas, Emily Nash and Anelis Villarreal 4 Mins Read

In brief On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of…

In Cybersecurity

Mission Critical: CIRCIA’s Regulations and the Race to Secure Critical Infrastructure

April 4, 2024 by Justine Phillips, Cyrus R. Vance Jr. and Avi Toltzis 9 Mins Read

Today, April 4, 2024, Cybersecurity and Infrastructure Security Agency (“CISA”) officially published its long-awaited Notice of Proposed Rulemaking (“Proposed Rule”) for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The Proposed Rule requests written comments from the public no later than June 3, 2024. CISA will then have 18 months to promulgate a final rule which is expected to be finalized and in effect by October 2025. CIRCIA Big Picture CIRCIA is…

In Cybersecurity

China’s Detailed Cybersecurity Reporting and Disclosure Rules

January 18, 2024 by Rachel Ehlers, Brian Hengesbaugh and Zhenyu Ruan 3 Mins Read

On January 7, 2024, China’s Cyberspace Administration (“CAC”) closed the public consultation period for its new cybersecurity incident reporting rules, which were released in December. If the draft rules are adopted as written, companies would be required to report certain cybersecurity incidents to the relevant Chinese regulator within one hour. The relevant regulator depends on the nature of the IT system compromised, the industry, and other factors and may be the local CAC, the public…

In Cybersecurity

Lions and tigers and bears, oh my! Global legal risks in cybersecurity investigations

January 5, 2024 by Brian Hengesbaugh 11 Mins Read

In the classic movie “The Wizard of Oz,” Dorothy, Scarecrow and Tinman walk through the forest while expressing great concern about the “lions and tigers and bears, oh my!” they may face on their journey to Oz. Companies experiencing global ransomware and cyberattacks can experience similar emotions as they grapple with increasingly complex global legal risks. Across the globe, local legislatures and regulatory authorities have established a multitude of different and sometimes conflicting legal obligations…

In Cybersecurity

FCC Refreshes its Data Breach Notification Rule

January 2, 2024 by Cynthia Cole, Rachel Ehlers, Brian Hengesbaugh, Cristina Messerschmidt, Justine Phillips, Elizabeth Roper and Cyrus R. Vance Jr. 4 Mins Read

On December 21, 2023 the Federal Communications Commission (FCC) issued updates to its Data Breach Notification Rule, which applies to telecommunications carriers, as well as to voice over internet protocol (VoIP) and telecommunications relay service (TRS) providers. The updated Data Breach Notification Rule marks the most significant changes to the Rule since its adoption 16 years ago and modernizes the FCC requirements by bringing them more closely in line with other breach reporting obligations. The…

In Cybersecurity

The 2024 Baker McKenzie “Top 10” Predictions on Global Data Privacy and Cybersecurity Risks

This past year brought the rapid rise of ChatGPT and other generative AI platforms, accompanied by several noteworthy legal and regulatory developments. 2024 promises to continue with technology advances, making it a pivotal year for businesses navigating global data privacy and cybersecurity risks. Our Baker McKenzie Top 10 predictions for 2024 follow. As is evident, 2024 will be a critical year for global data privacy and cybersecurity. We welcome your thoughts and predictions. Please feel…