The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing
cybersecurity
Attorney General Rokita on the possibility of a federal privacy law, Indiana’s breach notification law, and regulating data brokers
In the June edition of IAPP’s Privacy Advisor, Divonne Smoyer and Roger Gibboni talk to Indiana State Attorney General Todd Rokita on the possibility of Congress passing a federal privacy law, Indiana’s different approaches to data privacy and protection, and its recent announcement that the state was joining Washington, Texas, and D.C. in an…
Department for Digital, Culture, Media and Sport launches consultation on app security
On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security
CafePress FTC settlement signals future approach to enforcement actions
On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.Continue Reading CafePress FTC settlement signals future approach to enforcement actions
European Commission adopts two proposals for cybersecurity and information security regulations
On 22 March 2022, the European Commission (“EC”) adopted two new proposals for a Cybersecurity Regulation and an Information Security Regulation (available here and here). These regulations aim to set common priorities and frameworks in order to further strengthen inter-institutional co-operation, minimise risk exposure and further strengthen the EU security culture.
Continue Reading European Commission adopts two proposals for cybersecurity and information security regulations
SEC proposes cybersecurity rules for registered funds and investment advisers
The Securities and Exchange Commission (SEC) is proposing new rules to require registered funds (RFs) and investment advisers (RIAs) to implement comprehensive cybersecurity programs. Under the proposed rules, the SEC seeks to accomplish four main objectives, requiring RFs and RIAs to:
- Maintain and implement cybersecurity policies and procedures;
- Adopt new recordkeeping standards;
- Report significant cybersecurity incidents to the commission; and
- Disclose cybersecurity risks and incidents to clients and investors.
Continue Reading SEC proposes cybersecurity rules for registered funds and investment advisers
Additional cybersecurity measure proposed for CIP Reliability Standards
In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.
Continue Reading Additional cybersecurity measure proposed for CIP Reliability Standards
Cybersecurity 2.0: European Parliament adopts new draft directive
During the autumn of 2021, the European Parliament adopted a draft cybersecurity directive, the revised ‘Directive on security of network and information systems’ (commonly referred to as ‘NIS2’). When it moved to the Council, additional changes were made; one was to extend the time for Member States to transpose it into national law from 18 months to two years.
Continue Reading Cybersecurity 2.0: European Parliament adopts new draft directive
DOJ’s new Civil Cyber-Fraud Initiative
On October 6, 2021, the Department of Justice (DOJ) announced the launch of its new Civil Cyber-Fraud Initiative that emphasizes accountability for conduct that could increase cybersecurity threats to the government. This initiative supports the Biden administration’s goals and efforts to improve U.S. cybersecurity generally. Those who do business with the government or receive federal…
Key rules of PRC’s new Personal Information Protection Law
During the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on August 20, 2021, they finally passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on November 1, 2021.
Our recent client alert, the first in a series which we…