Password Protected

On Nov. 4, the Department of Defense announced significant changes to the Cybersecurity Maturity Model Certification program, intended to simplify the certification standard and prioritize protection of certain types of controlled defense information.

Read on for an overview of the changes, a timeline for their implementation and implications for defense contractors.

On Sept. 15, the Federal Trade Commission issued a policy statement emphasizing that developers of health apps and other connected devices and their service providers must meet breach notification requirements under the Health Breach Notification Rule, including a rapid 10-day notice period to the FTC and a 60-day notice period to individuals and the media.

One might think that any company reasonably anticipates litigation after suffering a data breach, so the work product doctrine would almost inevitably protect its data breach investigation. But only a handful of companies have succeeded in claiming such protection.

In In re Rutter’s Data Security Breach Litigation, Civ. A. No. 1:20-CV-382, 2021 U.S. Dist. LEXIS

Amazon’s financial records have revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), is fining the retailer’s European arm (Amazon Europe Core S.à.r.l.) an eyewatering 746 million euros (£636m or $838m) for breaches of the EU’s General Data Protection Regulation (“GDPR”).

When the GDPR was introduced in

New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on

On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting.  The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of

Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems.  Employees with access to information at work sometimes access that information with improper motives, and in violation of office

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended

On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices;

The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here.  Risks of investing in SaaS Solutions