On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule requiring U.S. banks to notify federal regulators within 36 hours of determining that a computer-security incident meeting certain criteria has occurred. The rule also requires bank service providers to notify affected banks “as soon as possible” when the service provider determines that a computer-security incident has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
Continue Reading Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency announced Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities, establishing a CISA-managed catalog of vulnerabilities and ordering federal agencies to remediate such vulnerabilities on government information systems.
Continue Reading CISA Issues New Cybersecurity Directive for Federal Agencies

On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule, which requires covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Safeguards Rule’s requirements.
Continue Reading FTC Announces Significant Updates to GLB Safeguards Rule

On October 6, 2021, Deputy Attorney General Lisa Monaco announced the launch of the new Civil Cyber-Fraud Initiative that will use the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.
Continue Reading DOJ Announces New Cyber-Fraud Initiative and Intent to Utilize False Claims Act to Spur Compliance

On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.”
Continue Reading Democratic Lawmakers Urge FTC to Hold Companies Accountable to their Children’s Privacy Notices

On September 28, 2021, Senators Gary Peters and Rob Portman, respectively Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, introduced a bipartisan bill that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency within 72 hours of having a reasonable belief that a covered cyber incident has occurred.
Continue Reading U.S. Senators Introduce Bipartisan Bill on Reporting Critical Infrastructure Cyber Incidents and Ransomware Payments

On September 30, 2021, the U.S. Department of Health and Human Services’ Office for Civil Rights issued guidance regarding when the HIPAA Privacy Rule applies to disclosures and requests for information about a person’s COVID-19 vaccination status. The guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies.
Continue Reading OCR Guidance Regarding HIPAA’s Applicability to COVID-19 Vaccination Information

On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives. The Preliminary Goals identify nine overarching control system cybersecurity performance goals, each containing specific objectives to support the deployment and operation of secure control systems.
Continue Reading DHS Issues Cybersecurity Guidance for Critical Infrastructure Firms