Earlier this year, the National Institute of Standards and Technology (NIST) issued an update to its Cybersecurity Framework (CSF) with the release of version 2.0, the first update since April 2018 (version 1.1). While the core components of CSF remain, there are two thematic changes: CSF 2.0 (1) no longer applies just to critical infrastructure […]
Privacy & Cyber Regulatory Enforcement
CISA Posts Notice of Proposed Rulemaking Under CIRCIA
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). For additional background on CIRCIA, see our prior advisory. CISA is required to issue a final rule by October 4, 2025. Who is required to report covered […]
FTC Denies an Application to Add a New Verifiable Parental Consent Mechanism Under COPPA Rule Without Prejudice
On March 29, 2024, the Federal Trade Commission (the “FTC”) published a unanimous decision to deny an application by the Entertainment Software Rating Board, Yoti, and SuperAwesome (collectively, the “Applicants”) to add a new verifiable parental consent (“VPC”) mechanism under the Children’s Online Privacy Protection Rule (“COPPA Rule”). The application, which our previous blog post […]
China Releases Updated Regulations on Permits Needed for Transferring Data out of China
On March 22, 2024, the Cyberspace Administration of China (CAC) published the Regulations on Promoting and Regulating Cross-border Data Flow (the “Regulations”), effective immediately. The Regulations supplement China data protection laws (the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law), and take precedence over previously-issued data transfer rules, such as (a) […]
More Guidance from HHS on Online Tracking Technologies but Questions Remain
Health and Human Services (“HHS”) released updated guidance yesterday on the use of online tracking technologies (like cookies, pixels, software development kits (SDKs), etc.) by HIPAA Covered Entities (the “Updated Guidance”). The Updated Guidance amends and supersedes HHS’s original guidance on the use of digital tracking technologies published on December 1, 2022 (the “Prior Guidance”). […]