New York Attorney General Letitia James recently announced two agreements related to data breaches with entities that operate in the education industry. In both instances the entities paid the ransom and received evidence of deletion of the stolen data. Most recently, on October 5, 2023 the Office of the Attorney General (OAG) announced a $49.5 […]
Board Governance & Cyber Risk Management
Penn State University Hit With False Claims Act Suit for Alleged Cyber Security Deficiencies
On September 1, 2023, the U.S. District Court for the Eastern District of Pennsylvania unsealed a qui tam False Claims Act (“FCA”) lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide “adequate security” for Covered Defense Information, as contractually required by Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012. DFARS requires […]
UK Government Makes a Bridge to The EU-U.S. Data Privacy Framework
On 21 September 2023, the UK Government adopted the Data Protection (Adequacy) Regulations 2023, also referred to as the “UK-U.S. Data Bridge”. The UK-U.S. Data Bridge will allow companies to legitimately transfer personal data from the UK to the U.S. on the basis of the recently enacted EU-U.S. Data Privacy Framework (“DPF”). The UK Government […]
California Proposes Annual Audits to Assess Sufficiency and Compliance of Company Cybersecurity
In late August 2023, the California Privacy Protection Agency (“CPPA” or “Agency”) released a discussion draft of proposed regulations under California’s data privacy law, the California Consumer Privacy Act (“CCPA”). Importantly, the proposed regulations set forth more detailed obligations for company cybersecurity programs, including routinely assessing and filing audits with the CPPA. Though these draft […]
Oregon Enacts Comprehensive State Privacy Law
On July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (SB 619)(“OCPA”) into law, making Oregon the eleventh state to enact a comprehensive state privacy law. OCPA will take effect on July 1, 2024, however the effective date for covered non-profits is delayed until July 1, 2025. While OCPA aligns with […]