On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative that will use the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.
Continue Reading DOJ Announces New Cyber-Fraud Initiative and Intent to Utilize False Claims Act to Spur Compliance

On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.”
Continue Reading Democratic Lawmakers Urge FTC to Hold Companies Accountable to their Children’s Privacy Notices

On September 28, 2021, Senators Gary Peters and Rob Portman, respectively Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, introduced a bipartisan bill that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency within 72 hours of having a reasonable belief that a covered cyber incident has occurred.
Continue Reading U.S. Senators Introduce Bipartisan Bill on Reporting Critical Infrastructure Cyber Incidents and Ransomware Payments

On September 30, 2021, the U.S. Department of Health and Human Services’ Office for Civil Rights issued guidance regarding when the HIPAA Privacy Rule applies to disclosures and requests for information about a person’s COVID-19 vaccination status. The guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies.
Continue Reading OCR Guidance Regarding HIPAA’s Applicability to COVID-19 Vaccination Information

On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives. The Preliminary Goals identify nine overarching control system cybersecurity performance goals, each containing specific objectives to support the deployment and operation of secure control systems.
Continue Reading DHS Issues Cybersecurity Guidance for Critical Infrastructure Firms

On September 14 and 15, 2021, the National Institute of Standards and Technology held a public workshop, as part of its effort to create a consumer labeling program to communicate the security capabilities of consumer Internet of Things devices and software development practices, as mandated by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity.
Continue Reading NIST Holds a Two-Day Public Workshop on Cybersecurity Labeling Programs for Internet of Things Devices and Software

On September 14, 2021, the Federal Trade Commission authorized new compulsory process resolutions in the eight key enforcement areas: (1) Acts or Practices Affecting United States Armed Forces Members and Veterans; (2) Acts of Practices Affecting Children; (3) Bias in Algorithms and Biometrics; (4) Deceptive and Manipulative Conduct on the Internet; (5) Repair Restrictions; (6) Abuse of Intellectual Property; (7) Common Directors and Officers and Common Ownership and (8) Monopolization Offenses.
Continue Reading FTC Authorizes New Compulsory Process Resolutions in Eight Key Enforcement Areas

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments on the sanctions risks associated with facilitating ransomware payments. OFAC, with assistance from the FBI, also designated SUEX OTC, S.R.O., as a malicious cyber actor, the first such sanctions designation against a virtual currency exchange.
Continue Reading OFAC Again Says Beware of Sanctions When Making Ransomware Payments and Designates Virtual Currency Exchange as Malicious Cyber Actor

On September 15, 2021, the Federal Trade Commission issued a Policy Statement to clarify the scope of the FTC’s Health Breach Notification Rule as it relates to health apps and connected devices.
Continue Reading FTC Issues Guidance Clarifying Scope of Its Health Breach Notification Rule for Health Apps and Connected Devices