Photo of Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Key Point: The FCC revised its breach notification rules for telecommunication providers to broaden the instances when notifications are required, but even with limited exceptions to the new requirements, the final rule further complicates the existing maze of federal reporting requirements.Continue Reading The Federal Communications Commission Updates its 2007 Breach Disclosure Regulations

Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.Continue Reading Federal Trade Commission Amends GLBA’s Safeguards Rule

Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.

In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:

  • Rebalancing the responsibility to defend cyberspace; and
  • Realigning incentives towards long-term investments to reward security and resilience.

This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.Continue Reading The Invitation to Streamline Cybersecurity Regulations

Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part III

Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part II

Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.   

In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.

To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.

Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.Continue Reading Twelve Planning Tips to Avoid Complications with the SEC’s Cybersecurity Disclosure Rules: Part I

Keypoint: President Biden shows a strong preference for the cybersecurity expertise of former National Security Agency (NSA) leaders with his choices for significant cyber roles within his administration.

On April 12, 2021, the White House announced that President Biden selected two individuals to join his administration in the area of cybersecurity. Mr. Chris Inglis is nominated to be the first national cyber director, and Ms. Jen Easterly is nominated to serve as the new director of the Cybersecurity and Infrastructure Security Agency (CISA). Both positions require confirmation by the U.S. Senate.Continue Reading Biden Administration Names Key Leaders to Cybersecurity Positions

Keypoint: New Utah law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security.Continue Reading Utah Gets a New Data Breach Defense Law

Health Insurance Portability and accountability act HIPAA and stethoscopeAs an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that

Keypoint: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.Continue Reading New York’s DFS Publishes a Cyber Insurance Risk Framework