Author

Avi Toltzis

Browsing

Today, April 4, 2024, Cybersecurity and Infrastructure Security Agency (“CISA”) officially published its long-awaited Notice of Proposed Rulemaking (“Proposed Rule”) for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The Proposed Rule requests written comments from the public no later than June 3, 2024. CISA will then have 18 months to promulgate a final rule which is expected to be finalized and in effect by October 2025. CIRCIA Big Picture CIRCIA is…

In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules. Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on…

Effective November 1, 2023, New York State Department of Financial Services (“DFS”) Strengthens Cybersecurity Requirements for Financial Services Companies. All companies should take account of these amendments, as these DFS regulations are increasingly referenced as key benchmarks for cybersecurity compliance programs. New York State’s Department of Financial Services (“DFS”) finalized significant amendments to 23 CRR-NY 500 NY-CRR, “Cybersecurity Requirements for Financial Services Companies” (“Part 500”). This follows two rounds of proposed amendments and public comment…

In many ways, the Securities and Exchange Commission’s (“SEC”) October 30, 2023 enforcement action against software company SolarWinds Corporation (“SolarWinds”) and its chief information security officer (“CISO”) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company. But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal…

In Brief In April 2023, Arkansas Governor Sarah Huckabee Sanders signed into law SB 396, the Social Media Safety Act (the “Act”). Arkansas is the second state to enact a law that specifically regulates minors’ social media use, following Utah’s recent social media legislation. The Act, which takes effect on September 1, 2023, requires social media platforms (as defined under the Act) to verify account holders ages in order to prohibit Arkansas residents younger than…

In Brief On Thursday March 23, Utah Governor Spencer Cox signed two bills — S.B. 152 and H.B. 311 (collectively, the “Utah Social Media Regulation Act”) —that impose new requirements and limitations on children’s use of social media platforms. Background Together, both S.B. 152 and H.B. 311 enact the Utah Social Media Regulation Act, which is set to go into effect on March 1, 2024. Once in effect, S.B. 152 will require social media platforms…

In Brief On March 15, 2023, the US Securities Exchange Commission (“SEC”) proposed amendments to Regulation S-P (“Reg S-P”). If adopted, the amendments would introduce new data security and governance requirements for broker-dealers, investment companies, and investment advisers registered with the SEC. Background When the SEC first promulgated Regulation S-P in 2000, the goal was to ensure that covered entities establish adequate safeguards to protect customer information. The existing version consists essentially of two cornerstone…

In Brief Recent developments in AI technologies have led to the increased use of AI to create a range of works, such as art, music, stories, and even lines of software code, in response to human inputs. This has resulted in an uptick of copyright applications filed with the U.S. Copyright Office (the “Office”) seeking registrations for works with varying degrees of contributions from generative AI tools. This calls into question whether, and to what…

In brief Critical infrastructure has been the focus of several recent US cyber readiness initiatives, although the results have left a patchwork of regulations that may be enforced differently across sectors and federal agencies. As an example, in March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which will require critical infrastructure organizations to report cyber incidents and ransom payments to the US Cybersecurity and Infrastructure…