For years, the Gramm-Leach-Bliley Act (GLBA) has required financial institutions to maintain reasonable safeguards for consumer data, but has only had limited breach-reporting requirements. To the extent financial institutions were subject to breach-reporting obligations, these were set by non-GLBA legislation, such as state law, or by relatively narrow incident-reporting rules under Interagency Guidelines overseen by […]
Security Breach
CISA Posts Notice of Proposed Rulemaking Under CIRCIA
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). For additional background on CIRCIA, see our prior advisory. CISA is required to issue a final rule by October 4, 2025. Who is required to report covered […]
NY AG’s Office Announces Significant Cybersecurity Settlement with Healthcare Company
On January 5, 2024, the New York Attorney General’s Office (“NY AG”) announced a settlement with Refuah Health Center, Inc. (“Refuah”) based on the company’s alleged failures to appropriately safeguard its patients’ information, including failing to encrypt patient information or use multifactor authentication, which allegedly resulted in a May 2021 ransomware attack that impacted approximately […]
FCC Plans to Update Data Breach Notification Rules
After a decade and a half under the current data breach notification rules for telecommunications carriers and telecommunications relay services (TRS) providers, the FCC recently unveiled plans to update and expand them. On November 22, 2023, the FCC issued a Report and Order that it intends to consider at its December 13th meeting that would […]
Ransomware Group, in Midst of Extortion Attempt, Files Regulatory Notice with SEC
Just a month before the Security and Exchange Commission’s (“SEC’s”) Material Cybersecurity Incidents Rule is set to take effect, a ransomware group has apparently taken compliance with reporting requirements into its own hands. On November 15, 2023, the ransomware group known as BlackCat (also known as “AlphV”) posted a notice on its leak site alleging […]