Board Governance & Cyber Risk Management

SEC Settlement Suggests the Agency’s Attempt to Regulate Cybersecurity Controls

July 2, 2024 By Cara Peterman, Kim Peretti, David Brown, Sierra Shear and Madeleine Juszynski Davidson

On June 18, 2024, the SEC announced a $2.125 million settlement with R.R. Donnelley & Sons Co. (“RRD”) related to the company’s 2021 ransomware attack (the “Incident”). The settlement, and the SEC’s accompanying cease-and-desist order (the “Order”), portend the agency’s continued and increasing oversight over registrants’ cybersecurity policies and practices. Background RRD is a global […]

New York State Department of Health Revises Proposed Hospital Cybersecurity Regulations

June 27, 2024 By Andrew Liebler and Alysa Austin

In May 2024, the New York State Department of Health (“NYSDOH”) issued revisions to proposed regulations on hospital cybersecurity that it first released in November 2023. The proposed revised regulations are subject to public comment ending on July 1, 2024, and would apply to general hospitals licensed under Article 28 of the NYS Public Health […]

DOJ Announces $11.3 Million in Settlements for FCA Violations

June 25, 2024 By Kristen Bartolotta and Privacy, Cyber & Data Strategy Team

On Monday, June 17, 2024, the Department of Justice (DOJ) announced a settlement in which two U.S. based consulting companies agreed to pay a combined total of $11.3 million to resolve allegations that they violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements in government contracts. According to the DOJ, the […]

Article: White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024

June 12, 2024 By Daniel Felz and Santi Villar

Peter Swire, Senior Counsel at Alston & Bird, has published a white paper at the Cross-Border Data Forum (“CBDF”), analyzing the definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”), which was passed on April 24, 2024 and will take effect on June 23, 2024. The white paper discusses some ambiguities […]

Data Breach Notification Requirements under the Safeguards Rule Now in Effect

June 11, 2024 By Daniel Felz and Dorian Simmons

For years, the Gramm-Leach-Bliley Act (GLBA) has required financial institutions to maintain reasonable safeguards for consumer data, but has only had limited breach-reporting requirements. To the extent financial institutions were subject to breach-reporting obligations, these were set by non-GLBA legislation, such as state law, or by relatively narrow incident-reporting rules under Interagency Guidelines overseen by […]