Topic: Data and cybersecurity

The United States Federal Government is turning its attention to privacy and cybersecurity laws, and the result has been several recent legal developments that may have an impact on your business. Keeping up with these developments is not easy, so we’ve created a fun way to test your knowledge of the same.

On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure sectors. The CIRCIA was originally enacted in part as a response to recent attacks on critical infrastructure, such as the ransomware attack on Colonial Pipeline in May 2021, but CISA’s proposed regulations take a surprisingly broad view of who may be considered a covered entity and what incidents are reportable.

On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF).

This article first appeared in PLC Magazine in the January / February 2024 issue of PLC Magazine.

A flurry of significant European Court of Justice judgments relating to data protection were published in the final few months of 2023.

2024 was not a happy new year for Genesis Global Trading, Inc. (“GGT”). On January 3, 2024, the New York Department of Financial Services announced a consent order with GGT, where GGT agreed to pay NYDFS $8 million and to surrender its BitLicense (for cryptocurrency trading), due to alleged violations of NYDFS’ cybersecurity and its virtual currency regulations. This post will focus on the cybersecurity regulation issues. (For more information about the crypto and financial services/regulation aspects, please see https://www.nortonrosefulbright.com/en/knowledge/publications/4c9650ae/2023-crypto-round-up

On 3 January 2024, the European Central Bank (ECB) announced that it will be conducting a cyber resilience stress test on 109 directly supervised banks in 2024.

December tends to be a busy time for everyone, so you may have missed a privacy update or two. We have set out some updates in the form of questions, with links in the answers where you can find more information. (For those making this quiz a competitive event, we have included a tie-breaker/bonus question.)

On 19 December 2023, the Financial Conduct Authority (FCA), the Bank of England (BoE) and the Prudential Regulation Authority (PRA) published the latest annual CBEST thematic report.

On December 13, 2023, the Federal Communications Commission (FCC) voted to update a 16-year-old privacy rule expanding breach notification requirements for telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the new rule, these companies are now required to adequately safeguard sensitive customer information in an attempt to hold phone companies accountable for protecting customer information and to allow customers to protect their own information.