Cybersecurity

Subscribe to Cybersecurity via RSS
conny-schneider-xuTJZ7uD7PI-unsplash (2)

Seyfarth Shaw is proud to sponsor the 2025 Masters Conference, a premier boutique legal event hosted in cities across the U.S., as well as in Toronto and London. The conference will be held on Tuesday, May 20, 2025, at Seyfarth’s Chicago office and will feature keynote presentations, panel discussions, workshops, and networking opportunities.

Topics will include eDiscovery, Artificial Intelligence, Information and Data Governance, Legal Project Management, Forensics and Investigations, Knowledge Management, and Cybersecurity.

Seyfarth partners Jay Carle, Matthew Christoff, and Jason Priebe will share their insights as featured panelists throughout the day. Additional information about their panel topics is outlined below.

For more information and to register, click here.Continue Reading Seyfarth to Sponsor and Present at 2025 Masters Conference

kaffeebart-KrPulSdUetk-unsplash (1)

On September 6, 2024, the U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01, titled “Cybersecurity Guidance Update.” The updated guidance clarifies that the DOL cybersecurity guidance applies to all ERISA-covered plans, and not just retirement plans, but also health and welfare plans. Also, as a direct response to service providers’

rodion-kutsaiev-0VGG7cqTwCo-unsplash (3)

Seyfarth Synopsis: In a significant decision for website operators, the Massachusetts Supreme Judicial Court clarified that tracking users’ web activity does not constitute illegal wiretapping under the state’s Wiretap Act. The court found that person-to-website interactions fall outside the Act’s scope, which focuses on person-to-person communications. However, the court emphasized that other privacy laws could

muha-ajjan-sL2BRR1cuvM-unsplash

This blog post is co-authored by Seyfarth Shaw and The Chertoff Group and has been cross-posted with permission.

What Happened

On July 26, the U.S. Securities & Exchange Commission (SEC) adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure final rule on a 3-2 vote. The final rule is a modified version of the SEC’s earlier Notice of Proposed Rulemaking (NPRM) released in March 2022. The final rule formalizes and expands on existing interpretive guidance requiring disclosure of “material” cybersecurity incidents.Continue Reading SEC Publishes Public Company Cybersecurity Disclosure Final Rule

glenn-carstens-peters-npxXWgQ33ZQ-unsplash

This post was originally published to Seyfarth’s Global Privacy Watch blog.

On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in

Introduction

Employers need to be aware of the significant changes that are on the horizon when the California Privacy Rights Act (CPRA) becomes operative on January 1, 2023.

By way of background, in November of 2021, California residents voted to pass the CPRA, which affords California consumers heightened rights and control over their personal information. 

At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing

Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC ChairpersonContinue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.

According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule.
Continue Reading President Biden Signs Bill Mandating Cyber Reporting for Critical Infrastructure Entities