Cybersecurity

DOJ Settles Another False Claims Act Case for Alleged Failures in Implementing NIST SP 800-171 and Basic Cybersecurity Controls

May 28, 2025 By Kim Peretti, Andrew Liebler, Lance Taubin, Andrew Rice and Samantha Skolnick

On May 1, 2025, the U.S. Department of Justice (DOJ) announced a settlement under the False Claims Act (FCA) involving defense contractors Raytheon Company (Raytheon), RTX Corporation (RTX), and Nightwing Group—the successor owner to one of Raytheon’s cybersecurity business lines (collectively “the Companies”). The Companies agreed to pay $8.4 million to resolve allegations of noncompliance […]

UK Publishes Software Security Code

May 15, 2025 By Hanna Hewitt and Kelly Hagedorn

Cyber security supply chain risks are growing, and attacks on vendors and other third parties cause severe disruption to businesses. For example, in recent years we have seen many incidents that have involved threat actors compromising third-party software used by a significant number of customers. With that background, on May 7, 2025, the National Cyber […]

CPPA Issues Revised Draft CCPA Regulations; Votes to Initiate Public Comment Period

May 9, 2025 By Dorian Simmons

On May 1, 2025, the California Privacy Protection Agency (“CPPA”) Board convened to discuss revisions to the California Consumer Privacy Act (“CCPA”) draft regulations on cybersecurity audits, risk assessments, automatic decisionmaking technology (“ADMT”), insurance, and updates to the existing CCPA regulations. The revisions were informed by comments received by the CPPA during the formal public […]

UK Data Protection Regulator Fines UK Law Firm ~$80,000 Following Ransomware Incident

May 6, 2025 By Hanna Hewitt and Kelly Hagedorn

On April 14, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined DPP Law (“DPP”) £60,000 (approximately $80,000) following a ransomware incident. In its penalty notice, the ICO found that DPP failed to implement appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 UK GDPR. This is the […]

DOJ Settles False Claims Act Case with MORSECORP Over Cybersecurity Program

May 6, 2025 By Kim Peretti, Andrew Liebler, Lance Taubin and Andrew Rice

On March 26, 2025, the United States Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. (MORSE) to settle alleged violations of the False Claims Act (FCA), specifically regarding MORSE’s cybersecurity program. The DOJ and MORSE—a government contractor that provides services to both the Departments of the Army and Air […]