Archives: Data & Cyber Security

Subscribe to Data & Cyber Security RSS Feed

Department for Digital, Culture, Media and Sport launches consultation on app security

By Cynthia O’Donoghue, Yunzhe Zhang and Sarah O'Brien on 16 May 2022 Posted in Data & Cyber Security, Privacy & Data Protection, Social, Mobile, Analytics & Cloud (SMAC)

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.… Continue Reading

CafePress FTC settlement signals future approach to enforcement actions

By Nikki Bhargava, Lauren Weaver and Eric Manski on 28 April 2022 Posted in Data & Cyber Security

On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to … Continue Reading

Cybersecurity 2.0: the UK follows suit with the EU in launching cybersecurity law reform

By Cynthia O’Donoghue, Sarah O'Brien and Yunzhe Zhang on 17 March 2022 Posted in Data & Cyber Security

Following the recent adoption of a new draft EU cybersecurity directive (we wrote about it here), the UK government has now also launched a consultation on its proposal to reform the existing UK cybersecurity legislation (see consultation here). A recap of the current UK cybersecurity law: NIS Regulations One of the key pieces of cybersecurity … Continue Reading

SEC proposes cybersecurity rules for registered funds and investment advisers

By Gerard Stegmaier, Howard Womersley Smith, Kile Marks and Eric Manski on 9 March 2022 Posted in Data & Cyber Security, Regulatory

The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to: Maintain and implement cybersecurity policies and procedures; Adopt new recordkeeping standards; Report significant cybersecurity … Continue Reading

Cybersecurity 2.0: European Parliament adopts new draft directive

By Cynthia O’Donoghue on 20 January 2022 Posted in Data & Cyber Security

During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 … Continue Reading

FTC significantly amends GLBA Safeguards Rule

By Gerard Stegmaier and Mark Quist on 8 November 2021 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The … Continue Reading

California amends CCPA and clarifies rulemaking deadline

By Sarah Bruno, Bart Huffman, Christian Blair and Hubert Zanczak on 20 October 2021 Posted in Data & Cyber Security

On October 5, 2021, California Governor Gavin Newsom signed into law amendments to the California Consumer Privacy Act (CCPA) via Assembly Bill 694. Businesses are eagerly awaiting clarification on many aspects of the CCPA and the California Privacy Rights Act (CPRA) (the CPRA is set to go into effect on January 1, 2023, with a 12-month look-back … Continue Reading

Ransomware is on the rise – what to do if you are faced with a cyber attack

By Cynthia O’Donoghue and Philip Thomas on 13 July 2021 Posted in Data & Cyber Security, Privacy & Data Protection

As a result of the COVID-19 pandemic, many more organisations have moved their business operations online. From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s … Continue Reading

Tune in for the latest updates on our Tech Law Talks podcast

By Sarah Bruno, Therese Craparo, Anthony Diana, Jason Gordon, Cynthia O’Donoghue, Dr. Andreas Splittgerber, Catherine Castaldo and Asélle Ibraimova on 9 July 2021 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day. What’s new in data protection in the EU It has been a busy few weeks in the EU for all things data … Continue Reading

U.S. Department of Labor issues cybersecurity guidance for protecting ERISA-covered plan data

By Bart Huffman, Jenni Krengel, Wendell Bartnick and Haylie Treas on 10 June 2021 Posted in Data & Cyber Security, Regulatory

The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries. The Guidance recognizes that … Continue Reading

Get the latest updates on our Tech Law Talks podcast

By Sarah Bruno, Anthony Diana, LiLing Poh, Dr. Andreas Splittgerber, Catherine Castaldo, Ramona Kimmich, Christian Leuthner and Trevor Satnick on 20 May 2021 Posted in Cookies, Tracking & Online Behavioral Advertising, Data & Cyber Security, Privacy & Data Protection, Regulatory

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends. We cover product and technology development to operational and compliance issues that technology practitioners encounter every day. On this channel, we host regular discussions about the legal and business issues around data protection, privacy and security; data risk … Continue Reading

Executive Order for cybersecurity creates new requirements for government contractors

By Leigh T. Hansson, Gregor Pryor, Gerard Stegmaier, Liza Craig, William Kirkwood and Joshuah Turner on 18 May 2021 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

In response to a number of recent high-profile cyber attacks aimed at federal agencies, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO) on May 12, 2021. The EO which created a new Cyber Safety Review Board to review major cyber incidents and requires information and communications technology (ICT) service providers entering into contracts … Continue Reading

Recent report signals NIST may publish IoT cybersecurity standards

By Wendell Bartnick and Hubert Zanczak on 12 May 2021 Posted in Data & Cyber Security

Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for … Continue Reading

New podcast channel, Tech Law Talks, now live!

By Anthony Diana, Therese Craparo, Trevor Satnick and Erika Kweon on 25 February 2021 Posted in Data & Cyber Security

Reed Smith is proud to announce the launch of its sixth podcast channel, Tech Law Talks. The channel will present in-depth, practical observations on tech and data legal trends that practitioners encounter every day. Tune in for regular discussions led by the firm’s technology lawyers about the legal and business issues around data protection, privacy … Continue Reading

Cybersecurity Maturity Model Certification: New requirements in the near future

By Bart Huffman, Liza Craig, Elizabeth Leavy and Aryeh Younger on 17 June 2020 Posted in Data & Cyber Security, Regulatory

Beginning in November 2020, the Department of Defense (DoD) has confirmed that new solicitations will include the new Cybersecurity Maturity Model Certification (CMMC). Despite the impact of COVID-19, this confirmation indicates that the DoD is intent upon ensuring the protection of certain critical information and shoring up protection of its critical networks and supply chain. … Continue Reading

Responding to requests: the ICO considers manifestly unfounded and excessive requests

By Cynthia O’Donoghue and Katalina Bateman on 16 June 2020 Posted in Data & Cyber Security, Privacy & Data Protection

The Information Commissioner’s Office (ICO) has updated its guidance on access requests and whether such requests are manifestly unfounded or excessive, providing further clarification to the definitions in the guidance and on how data controllers should respond to such requests. We summarise the key points below. Background A data subject has rights under the Data … Continue Reading

Medical Device Coordination Group guidance on cybersecurity for medical devices

By Cynthia O’Donoghue and Katalina Bateman on 15 June 2020 Posted in Data & Cyber Security

Background In light of the growing concern over cybersecurity and the increasing complexity of medical device supply chains, the Medical Device Coordination Group has released updated guidance on cybersecurity for medical devices (the Guidance). The Guidance is intended to supplement the essential requirements listed in Annex I of the Medical Devices Regulations (Regulations 745/2017 and … Continue Reading

Amendments to Vermont’s Security Breach Notice Act to become effective July 1

By Bart Huffman, Wendell Bartnick and Haylie Treas on 2 June 2020 Posted in Data & Cyber Security

Vermont’s Security Breach Notice Act is noteworthy because it has the United States’ shortest deadline for providing preliminary notice of a “security breach” to the state’s attorney general. The deadline is 14 days from discovery of a security breach. Security incident response teams commonly consider the Vermont law early in the response process to determine … Continue Reading

California relaxes key telehealth regulatory requirements during COVID-19 emergency

By Kimberly Gold, Alexis Cocco, James F. Hennessy and Emily Lynch on 13 April 2020 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal … Continue Reading

U.S. cybersecurity – points to remember when business is not as usual

By Bart Huffman, Gerard Stegmaier, David Krone and Haylie Treas on 7 April 2020 Posted in Data & Cyber Security, Privacy & Data Protection

As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses … Continue Reading

New key features of FTC data security orders highlighted by Consumer Protection Bureau Director

By Gerard Stegmaier and Courtney E. Fisher on 20 February 2020 Posted in Data & Cyber Security, Regulatory

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders. In … Continue Reading

2020 could be a monumental year for adtech

By Elle Todd, Keri S. Bruce and Sarah Bruno on 5 February 2020 Posted in Cookies, Tracking & Online Behavioral Advertising, Data & Cyber Security, Privacy & Data Protection, Regulatory

With the California Consumer Privacy Act (CCPA) coming into effect on January 1 and the announcement on 14 January from Google that it will be phasing out third party cookies within the next two years, it seems that 2020 will be a significant year for the adtech industry as industry players react with solutions and … Continue Reading

Cyber crime now poses increasing threat to the cannabis industry

By Carolyn Rosenberg, Andy Moss and Emily Garrison on 29 January 2020 Posted in Data & Cyber Security, Privacy & Data Protection

According to a report issued last week, tens of thousands of cannabis dispensary customers’ personal data has been exposed following a data breach of a sales system that at least three (and likely more) cannabis dispensaries may have used to manage their sales to customers. Our recent client alert highlights the increasing threat that cyber … Continue Reading