Cybersecurity, Information Governance, and Privacy

Organizations worldwide were busy this weekend after Keyasa, a software provider servicing more than 40,000 organizations, disclosed that it was the victim of a sophisticated cyberattack that is believed to have been orchestrated by REvil, a cybercriminal acting out of Russia. This latest announcement comes on the heels of several high-profile ransomware attacks that have

New York City’s Biometric Identifier Information Law goes into effect July 9. The law applies to food and drink establishments, places of entertainment, and retail stores in New York City that collect, retain, convert, store, or share biometric identifier information (e.g., retina or iris scans, fingerprints, voiceprints, and hand scans) from customers. According

On May 12, President Biden signed an executive order (EO) that seeks to improve the federal government’s cybersecurity. This comes in the wake of sweeping cyber incidents, such as the SolarWinds incident. The EO calls on both the federal government and the private sector to work collaboratively to identify, deter, detect, and respond to cyber

On May 6, Google announced that mobile app developers will be required to publish their privacy policies and make other privacy disclosures in a new “safety” section within Google Play beginning in Q2 2022. Google’s announcement is reminiscent of Apple’s June 2020 announcement that app developers publishing in its App Store must publish privacy “nutrition

The Second Circuit recently issued a decision in McMorris v. Carlos Lopez & Associates, LLC, No. 19-4310, 2021 U.S. App. LEXIS 12328 (2nd Cir. Apr. 26, 2021), which clarifies the circumstances under which plaintiffs alleging an increased risk of future identity theft or fraud due to the exposure of their personal data can establish

A federal court in Michigan recently ruled that out-of-state residents have standing to sue under the Michigan Personal Privacy Protection Act (PPPA). In Lin v. Crain Communications, Inc., Case No. 2:19-cv-11889 (E.D. Mich., June 25, 2019), Gary Lin, a Virginia resident, filed a putative class-action lawsuit against Crain Communications, Inc. (Crain), a Michigan-based publishing

At the Nationwide Multistate Licensing System (NMLS) Annual Conference, state financial regulators released an updated cybersecurity examination tool for nonbank financial company supervision. The tool is designed for state regulators to use in examinations, but “companies are encouraged to use it to assess their cybersecurity health between examinations.”

State regulators are continuing to find new

We have long predicted that just as other states followed California in passing breach notification laws, states would follow in California’s footsteps in regulating information privacy practices with the California Consumer Privacy Act of 2018 (CCPA), which was later amended by the California Privacy Rights Act of 2020 (CPRA).[1] The Virginia state legislature recently

On February 4, the New York Department of Financial Services (DFS) released the Cyber Insurance Risk Framework (Framework), which is considered the first guidance by a U.S. regulator on cyber insurance. The Framework is aimed at property and casualty insurers that provide cyber insurance, as well as other insurers that do not write specific cyber

The Eleventh Circuit affirmed a district court’s dismissal for lack of standing in a data incident case. The majority opinion, written by Senior Judge Gerald Bard Tjoflat and joined by Judge Adalberto Jordan and Senior Fourth Circuit Judge William Traxler sitting by designation, highlighted the disagreement among federal appellate courts about the type of harm