Cybersecurity Law Is A Dynamic Landscape
Our Aim Is To Provide Clients With Clarity
In our increasingly data-first world, cybersecurity is more critical than ever in guarding against cyberattacks that can be catastrophic. In light of the ever-expanding and critical nature of cybersecurity, laws of cybersecurity are dynamic and growing, with several laws in effect, ranging from the EU and UK versions of the GDPR, US state-specific laws such as California’s CCPA as amended by the CPRA and New York’s SHIELD Act and the NYDFS cyber security regulation, as well as sector-specific laws such as HIPAA for certain health information to the GLBA for certain financial data and the SEC’s cybersecurity breach disclosure rules. Layered on top of these laws are cybersecurity frameworks and standards, such as those from the NIST, as well as regulatory guidance, such as from the UK’s National Cyber Security Centre (NCSC) guide to CEOs on cyber incident response. Further, with the proliferation of artificial intelligence, cybersecurity regulations, and standards are increasingly coming into view.
While many of these laws have a privacy-specific focus, such as how data can be processed, they also have cybersecurity components, such as the kinds of security needed to ensure the safety and integrity of information to the required procedures that must be followed in the event of a data breach, including regulator and consumer notification. While larger businesses operating globally have larger risk vectors in the cybersecurity context, even smaller businesses need to contend with cybersecurity and, by extension, cyberattacks.
Some examples of cybersecurity, privacy, and related data protection laws having an impact on companies, including via enforcement actions, include the following:
- Irish Data Protection Commission fines Meta Ireland €91 million: The Data Protection Commission (DPC) has today announced its final decision following an inquiry into Meta Platforms Ireland Limited (MPIL). This inquiry was launched in April 2019, after MPIL notified the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems (i.e. without cryptographic protection or encryption).
- Marriott agrees to pay $52 million, beef up data security to resolve probes over data breaches: Marriott International has agreed to pay $52 million and make changes to bolster its data security to resolve state and federal claims related to major data breaches that affected more than 300 million of its customers worldwide.
At RICHT, we understand the importance of having a cybersecurity lawyer to counsel businesses in today’s digital yet dynamic regulatory frameworks combined with an ever-evolving threat landscape. We focus on helping clients avoid costly legal cybersecurity risks while mitigating damage from cybersecurity incidents and matters once they arise. Whether it is incident and breach response and notification to data privacy and protection, we work closely with our clients to develop tailored strategies that meet their unique needs. In addition, in conjunction with RICHT&Co., we offer a variety of technical services, such as vulnerability assessments and penetration testing, to help our clients identify and address potential security deficiencies before they can be exploited. In addition, clients benefit from reputational risk management and PR strategy via Baker Hartford.
Cybersecurity Law Services We Offer
Some Of The Types Of Clients We Can Help
Navigating the New Cybersecurity Regulatory Landscape Post-Chevron
On June 28, 2024, in a landmark decision, the Supreme Court overruled the four decade old case Chevron v. Natural Resources Defense Council. This pivotal decision should spur businesses to recalibrate their existing relationship with federal agencies. Indeed, we have already seen industry groups begin to use the overruling to influence agency rulemaking, signaling a future of significant shifts in the regulatory landscape. For those operating in regulated industries—including government contractors, and particularly those navigating the complex world of cybersecurity regulation—understanding the implications of the decision is crucial.
Judge Deals Major Blow To SEC’s Cybersecurity Enforcement Stance
Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York last week dismissed much of the case, including the SEC’s claim that a cybersecurity failure can be punished as an “internal accounting controls” violation under Section 13(b)(2)(B) of the Securities Exchange Act.
White House Fills In Details Of National Cybersecurity Strategy
While the plan may convey the right kind of urgency, it lacks both funding and bipartisan support, industry professionals say.
NY AG Notifies 17 Companies of Breaches, Says 1.1 Million Accounts Compromised in Attacks
Seventeen companies have been informed of cyberattacks that compromised user information by New York Attorney General Letitia James following an investigation into credential stuffing. More than 1 million customer accounts were compromised due to the attacks, which James said were previously undetected.
