On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency released an unpublished Notice of Proposed Rulemaking (“NPRM”) pursuant that would require covered entities to report (1) qualifying cyber incidents, (2) ransom payments made in response to a ransomware attack, and (3) any substantially new or different information discovered related to a previously submitted report to CISA. The NPRM will be officially published on April 4, 2024, and comments are due by June 3, 2024.
Continue Reading U.S. Cybersecurity and Infrastructure Agency Releases Proposed Rules on Breach Reporting Requirements

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The Protecting Americans’ Data from Foreign Adversaries Act of 2024 marks a significant development in executive and legislative action related to foreign access to U.S. data.
Continue Reading House Passes the Protecting Americans’ Data from Foreign Adversaries Act

On March 14, 2024, Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things (“IoT”) products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.Continue Reading FCC Launches Cybersecurity IoT Labeling Program

President Biden recently released an Executive Order “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.”
Continue Reading DOJ Regulations and White House Executive Order Will Target Protections for Americans’ Sensitive Personal Data Against Foreign Threat Actors

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.Continue Reading NIST Releases Cybersecurity Framework 2.0

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.
Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation

On February 16, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”) published a final version of Special Publication 800-66 Revision 2, “Implementing the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule: A Cybersecurity Resource Guide.” The publication features guidance