Insights

On Wednesday, October 16, 2024, New York’s Department of Financial Services (DFS) announced new guidance aimed at identifying and providing a blueprint for protecting against AI-specific cybersecurity risks.  Motivated primarily by advancements in AI that substantially impact cybersecurity—including facilitating new ways to commit cybercrime—DFS’s guidance aims to specifically protect New York businesses but applies to all companies concerned with increasing their cybersecurity and managing risks posed by emerging technologies. The guidance addresses “most significant” AI-related threats to cybersecurity that organizations should consider when they are developing a cybersecurity program, internal protocols, or implementing cybersecurity controls—as well as recommendations for those cybersecurity programs.

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

On October 30, 2023, the Securities and Exchange Commission (the “SEC”) filed a civil lawsuit charging SolarWinds Corporation (“SolarWinds” or the “Company”) and its chief information security officer, Timothy G. Brown (“Brown”), with securities fraud, internal controls failures, misleading investors about cyber risk, and disclosure controls failures, among other violations.  The SEC’s claims arise from allegedly known cybersecurity risks and vulnerabilities at SolarWinds associated with the SUNBURST cyberattack that occurred between 2018 and 2021.

On October 30, 2023, President Biden released an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI).  This landmark EO seeks to advance the safe and secure development and deployment of AI by implementing a society-wide effort across government, the private sector, academia, and civil society to harness “AI for good,” while mitigating its substantial risks.

On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.

A new Cybersecurity & Infrastructure Security Agency (CISA) alert advises that, starting in late May, a well-known ransomware group called Clop compromised a widely used managed file transfer (MFT) platform called MOVEit Transfer, reportedly impacting hundreds of companies globally. 

On March 2, 2023, the Biden Administration released the 35-page National Cybersecurity Strategy (the “Strategy”) with a goal “to secure the full benefits of a safe and secure digital ecosystem for all Americans.”

On February 2, 2023, the Illinois Supreme Court ruled that all Biometric Information Privacy Act (“BIPA”) claims are uniformly subject to a five-year statute of limitations, expanding liability for businesses collecting biometric information.[1]In Tims v. Black Horse Carriers, Inc., the court found that a longer, uniform statute of limitations for all claims under BIPA best fulfilled the legislative intent to hold private entities accountable and provide redress for data subjects.[2]The Tims decision partially reversed an appellate court’s interlocutory decision that applied a one-year statute of limitations to some sections of BIPA, while applying a five-year statute of limitations to others.[3]This highly anticipated decision will allow companies to understand and manage their liability risk and will also likely fuel the growth of future BIPA lawsuits. 

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

Businesses engaged in virtual currency activities with a BitLicense or limited purpose trust charter from the New York State Department of Financial Services (NYDFS) may now face additional fees for supervision in New York, as provided by New York State’s FY2023 budget bill. Signed into law on April 9, 2022, by Governor Kathy Hochul, Senate Bill S.8008C (the “Legislation”) amends New York’s financial services laws to defray NYDFS’ operating expenses for supervision of businesses that engage in virtual currency business activity.

The National Institute of Standards and Technology (NIST) recently published final assessment procedures for the enhanced security controls used to protect particularly sensitive forms of controlled unclassified information (CUI) from sophisticated adversaries.  NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, articulates procedures and methods to assess contractor implementation of the 35 enhanced security controls found in NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.  The publication can be used to conduct first, second, and third-party assessments with varying degrees of rigor based on the assessor’s desired level of assurance.

On March 9, 2022, the Securities and Exchange Commission (SEC) issued proposed rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies (registrants) that are subject to the reporting requirements of the Securities Exchange Act of 1934.

The National Institute of Standards and Technology (NIST) has published an RFI (87 Fed. Reg. 9,579) seeking stakeholder input on two major cybersecurity fronts:

The Department of Defense (DoD) recently published Version 1, Release 4 of its Cloud Computing Security Requirements Guide (SRG).  The SRG outlines the administrative, technical, and physical security controls and requirements to be followed by contractors providing cloud services to the DoD pursuant to DFARS 252.239-7010, Cloud Computing Services. 

On December 17, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued Emergency Directive 22-02 (the “Directive”) instructing civilian federal agencies to mitigate a series of vulnerabilities in Apache Log4j, a Java-based logging library, by 5 p.m. EST on December 23 and to provide a report to CISA about vulnerable applications by December 28.

On October 8, 2021, President Biden signed the K-12 Cybersecurity Act of 2021 (the “Act”) that establishes an education cybersecurity initiative to equip elementary and secondary schools with strategies to combat cyberattacks. The Act directs the Cybersecurity and Infrastructure Security Agency (“CISA”) to collaborate with educational leaders and experts to produce a study of the cybersecurity risks facing K-12 schools and develop recommendations for educational institutions to address those risks.