On Feb. 9, 2022, the SEC released its long-awaited proposed cybersecurity rule, and there’s a lot to unpack. As GT reported previously, the SEC increased enforcement of cybersecurity compliance in 2021. As recently as Jan. 24, 2022, Chair Gary Gensler made cybersecurity the focus of his speech at Northwestern Law School’s Securities Regulation

On Oct. 27, 2021, the Federal Trade Commission (FTC) amended its Standards for Safeguarding Customer Information (the “Safeguards Rule”), promulgated under the Gramm-Leach-Bliley Act (GLBA).

This GT Alert covers the following:

  • The FTC has expanded the definition of “Financial Institutions” to include more types of companies, although smaller companies remain exempt from more onerous requirements.

The past 12 months have seen an increase in cybersecurity attacks against major companies, placing data breaches on the front page of virtually every major newspaper. The U.S. government has taken notice. In May, the Biden administration issued an executive order requiring government agencies and certain government contractors to comply with cybersecurity requirements. In July,

The Fourth of July is usually reserved for fireworks, and this year was no different. On July 2, 2021, Kaseya, a provider of IT and security-management solutions, announced that it was the target of a supply-chain ransomware attack by the REvil/Sodinokibi (REvil) organized ransomware group. Kaseya’s virtual systems/server administrator (VSA) is a server and cloud-based

On May 12, 2021, President Biden issued an executive order entitled Improving the Nation’s Cybersecurity (EO). The EO was released only days after the cyberattack impacting Colonial Pipeline, and several months following discovery of the penetration of various federal agencies as a result of the Solar Winds cyber breach by Russian hackers in 2019. The

Ian C. Ballon, co-chair of Greenberg Traurig’s Global Intellectual Property & Technology Practice, participated in a virtual panel on Feb. 25 titled “What You Need to Know About Cybersecurity.” He discussed the growing threat of cyberattack and how businesses can prepare for and prevent security breaches.

Click here to read a transcript of the

It depends.

If a written contract between a law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client, the law firm may be a “service provider” under the CCPA.  The CPRA amended the CCPA’s definition of service

The regulations implementing the CCPA discuss the education of employees regarding CCPA related responsibilities in two sections:

Section 999.317(a) Section 999.317(g)(3)

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all of the

requirements in the CCPA and these regulations and

The CCPA does not explicitly reference the requirement to train employees, but it does require that:

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed [concerning the CCPA’s requirements] . . . and how to direct consumers to exercise their rights under those