The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.

The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.

• First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program,…

More

On November 3, 2021, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) added two Israeli entities to the Entity List due to malicious cyber activities. In its press release, BIS stated that the designation of Israeli companies NSO Group and Candiru was based on evidence that these entities developed and supplied spyware to foreign governments, which was then used for malicious surveillance,… More

The U.S Department of the Treasury’s Office of Foreign Assets Control (OFAC) has published guidance to aid members of the virtual currency industry (ranging from tech companies to brokers to users) in complying with OFAC requirements. OFAC defines “virtual currency” to encompass non-sovereign, non-fiat currencies that can be used as a store of value or as a medium of exchange—a category inclusive of most cryptocurrencies, including common tokens such as Bitcoin or Ether.… More

As we anticipated last spring, the Department of Justice (DOJ) has signaled that it will utilize civil enforcement of the False Claims Act (FCA) to address new and emerging cybersecurity threats. On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of a new cyber-fraud initiative led by the Fraud Section of DOJ’s Commercial Litigation Branch. The new initiative will focus FCA enforcement against federal government contractors or grant recipients who fail to follow required cybersecurity standards.… More

On September 30, 2021, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.… More

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

Ransomware payments continue to be a focus of the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). As previously reported by Foley Hoag, on October 1, 2020, OFAC released an advisory regarding potential sanctions risks related to facilitating ransomware payments. Almost a year later, on September 21, 2021, OFAC updated its advisory to provide additional guidance regarding what OFAC considers to be mitigating factors if facilitating a ransomware payment results in an apparent violation of U.S.… More

A data security incident will always require a technical response, and usually that technical response will come from outside experts.  Those experts are hired to investigate and remediate an incident.  Since data incidents can lead to government investigations and litigation, the question is whether digital forensics reports from those vendors — and the communications around those reports — will be subject to discovery when litigation occurs.  A recent decision in this important and evolving area of case law makes clear that protecting those reports and communications is very difficult,… More

On July 7, 2021, Governor Jared Polis signed into law the Colorado Privacy Act (CPA), making Colorado the most recent state to enact comprehensive privacy legislation.  While the CPA does not take effect until July 1, 2023, it contains robust provisions that businesses will need some time to prepare for.

The CPA draws many principles from and has a similar framework to the California Consumer Privacy Act (CCPA),… More

On June 10, 2021, China adopted a new Data Security Law that will impact every business operating in or doing business with China. The law, which will take effect in less than a month (September 1, 2021), is sweeping in scope, imposes extensive data processing obligations, and establishes potentially severe penalties for violations. Although many of the details surrounding implementation remain unclear, given the law’s extensive requirements and severe penalties for noncompliance,… More