Constangy Cyber Advisor 

When cyberattacks strike global giants, it’s front-page news. But what about the smaller breaches -- the ones that don’t make headlines? Increasingly, they’re making waves in courtrooms and regulatory enforcement agencies. Continue Reading ›

Another type of cyber attack. Continue Reading ›

The recent shutdown of the federal government has left many critical services in limbo, including the nation’s primary cybersecurity agency. Amid the ongoing budget standoff in Congress, funding for the Cybersecurity and Infrastructure Security Agency lapsed, coinciding with the expiration of the Cybersecurity Information Sharing Act of 2015. Continue Reading ›

After a long weekend, Finance Manager Joe sits at his desk to read his emails. One of the emails is from a trusted vendor with whom the Joe communicates on a regular basis, regarding an unpaid invoice that is due immediately. The vendor tells Joe that he was having “issues” with his bank and recently changed accounts. The vendor provides instructions for Joe to wire funds. As this is a known partner with whom the company has a good relationship, Joe wires the amount due. Two weeks later, the vendor contacts Joe to let him know that the invoice has not been paid. In a panic, Joe reads the emails he received and observes that one letter in the vendor’s original email address is different from the vendor’s legitimate email address. Joe calls the bank in a panic but is advised that the money has been withdrawn and that his company’s account has a balance of $0.00. Continue Reading ›

As cyberattacks and cybercriminals are becoming increasingly sophisticated, safeguarding employee benefit plans, including health and welfare plans, is crucial. Continue Reading ›

On December 24, New York Gov. Kathy Hochul (D) signed into law an amendment to section 899-aa of the N.Y. General Business Law, also known as The Shield Act, modifying the law’s data breach notification requirements. Continue Reading ›

A Written Information Security Plan, or “WISP,” is essential for any organization that handles sensitive personal information. Here’s a quick breakdown of who needs a WISP and why, as well as a checklist to develop one: Continue Reading ›

Amid the continued wave of consumer class action lawsuits targeting the use of cookies, pixels, beacons, and other tracking tools on organizations’ websites, a recent decision from the Massachusetts Supreme Judicial Court departed from other jurisdictions by holding that the state’s wiretap act did not apply to the use of these emerging technologies. Continue Reading ›

You've been hit by a ransomware attack, and a cybercriminal group is demanding a cryptocurrency payment in exchange for your data's safe return. Should you pay? Continue Reading ›

Happy Cyber Monday!

In honor of Computer Security Day (which was Saturday), we have a quiz designed to test your grasp of key laws, regulations, and best practices that keep your personal, financial, and sensitive information safe. Continue Reading ›

Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered. Continue Reading ›

Joseph Sullivan, Uber’s beleaguered former Chief Information Security Officer, was back in the news last month when he appealed his 2023 conviction for his role in concealing a 2016 breach of Uber’s network and customer data.  Continue Reading ›

We’re thrilled to announce exciting new additions to the Constangy Cyber Team, with three new partners and a law clerk. Each new team member brings unique experience and skills to our offices in Philadelphia, Chicago, and New York. Continue Reading ›

New York’s Cybersecurity Regulation continues its phased roll-out on November 1, when licensed financial services companies face a host of new requirements aimed at bolstering breach readiness and improving their ability to recover from disastrous situations. Companies will be required to put in writing how they would address several common pressure points in the breach response and mitigation process – including how they plan to recover from backups if critical data is lost. Continue Reading ›

Data breaches have become a serious issue for businesses, leading to numerous putative class action lawsuits alleging that the defendants failed to prevent the unauthorized disclosure of personally identifiable information or protected health information of their employees or customers. Continue Reading ›

The NetDiligence Cyber Risk Summit, which was held September 30-October 2 in Philadelphia, featured panels focused on the latest developments and challenges in cyber risk. Speakers included insurance, legal, and technology experts from a wide variety of organizations in the cyber risk industry. Continue Reading ›

On October 1, Montana became the newest state with a comprehensive data privacy law, the Montana Consumer Data Privacy Act. Continue Reading ›

On April 24, the Federal Trade Commission announced that it had finalized changes to its Health Breach Notification Rule - to address emerging technologies.

Specifically, the Rule was broadened to (1) apply to entities not currently subject to the Health Insurance Portability and Accountability Act, (2) clarify what a breach of security is, (3) expand notification methods, (4) impose additional requirements for the content of notifications, and (5) amend the timeframe for issuing required notifications to the FTC. Continue Reading ›

Businesses continue to be subjected to a steady stream of consumer class action lawsuits alleging improper collection or disclosure of information from their websites. A variety of laws and legal claims are used to support the suits. Some lawsuits assert violation of laws that are not particularly cutting edge, such as the Video Privacy Protection Act, or cite to non-disclosed use of more modern technology such as tracking pixels. In many of the lawsuits, both types of claims are asserted.   Continue Reading ›

Laura Balson in our Chicago office recently discussed an amendment to the Illinois Biometric Information Privacy Act. At that time, the Illinois House and Senate had passed an amendment to Illinois Biometric Information Privacy Act, or “BIPA,” which was awaiting the signature of Gov, J.B. Pritzker (D). The amendment has now been signed and must be a consideration in BIPA litigation and in the use of biometric data.

Most significantly, the amendment specifies that an individual is limited to one recovery, even if there were multiple scans that violated the Act. This is good news for businesses. Continue Reading ›

Minnesota has become the 18th state to enact a comprehensive consumer privacy law. On May 24, Gov. Tim Walz (D) signed the Minnesota Consumer Data Privacy Act into law to provide privacy rights to Minnesotans and to impose new requirements on businesses and organizations handling personal data. For most covered entities, the law will go into effect on July 31, 2025. Continue Reading ›

Effective May 24, 2024, the Office of the Privacy Commissioner of Canada (OPC) has introduced a new online PIPEDA breach reporting form for federal institutions and businesses subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Continue Reading ›

The past couple of years have seen a number of states enact comprehensive privacy laws. Thus far, California, Colorado, Connecticut, Utah, and Virginia have enacted state privacy laws. In July, we will see three new privacy laws take effect in Texas, Oregon, and Florida. A privacy law in Montana will become effective on October 1. Continue Reading ›

The State of Utah recently amended its general data breach notification statute to update the content that must be reported to the Utah Attorney General or the Utah Cyber Center. The amendments also clarify when notifications can be considered confidential or classified under the state’s public records law. Continue Reading ›

On April 6, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024, sending the bill to the state’s governor for signing.  The bill comes on the heels of the Kentucky Consumer Data Protection Act, which was signed into law on April 4.  If the Act is signed into law, it will bring the number of states with comprehensive privacy laws to 16. Continue Reading ›

On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.”  H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company. Second, President Biden’s Executive Order 14117, requires, among other things, that the Attorney General make rules restricting data brokers from selling bulk sensitive personal data to “countries of concern.” The two resolutions and the E.O. are part of a growing, bipartisan trend to restrict access to sensitive information by foreign adversaries. Continue Reading ›

Yesterday, March 27, the U.S. Cybersecurity and Infrastructure Security Agency published the Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It is important to note that these are draft rules and do not, on their own, require organizations to report any incidents until after a Final Rule is published. CISA expects to publish the Final Rule in late 2025 with an effective date at least 60 days after publication. This is likely to push the effective date into 2026. Continue Reading ›

Last week, the California Attorney General announced its second-ever settlement under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. The settlement was with the online food ordering and delivery platform DoorDash. Continue Reading ›

In an opinion filed on Friday, California’s Third District Court of Appeal reversed a lower court ruling that postponed until the end of March the enforcement of regulations promulgated pursuant to the California Privacy Rights Act. Continue Reading ›

The ever-increasing privacy and security risks via third-party vendors and service providers were apparent in 2023 with news of large organizations such as MOVEit, Okta and AT&T being affected. Research has shown that 98 percent of organizations have at least one third-party vendor that experienced a cyber incident within the past two years. With this growing trend, it is increasingly important for organizations to develop robust third-party risk management programs and to consistently review their third-parties to safeguard against security threats and ensure the security and privacy of their data. Continue Reading ›

The New York Department of Financial Services recently amended its Cybersecurity Regulation. The revisions aim to strengthen cybersecurity and technology controls to address evolving threats to consumer data and ensure the continued integrity of financial systems. Here are a few key elements of the amendments to Regulation and what we think will be their immediate impact on financial institutions. Continue Reading ›

‘Tis the season for the hustle and bustle of year-end holiday activities. With that comes the increased risk of cybercriminals exploiting the season to find vulnerabilities. This includes taking advantage of increased online transactions, employee vacations, and holiday gift-giving to launch attacks on organizations large and small. Below are some steps companies can consider taking to increase their defenses against the most common holiday cybersecurity threats: Continue Reading ›

As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Continue Reading ›