Photo of Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.

On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.

Keypoint: The New York Department of Financial Services (NYDFS) circulated an industry letter offering guidance to NYDFS “Covered Entities” for assessing and managing AI-related cybersecurity risks, including threats malicious actors using AI and the risks associated with a Covered Entity’s own AI systems.

The NYDFS industry letter (“Letter”) recognizes that Covered Entities can leverage AI to enhance their cybersecurity posture. The department contends that doing so would bolster entities’ compliance with NYDFS cybersecurity regulation 23 NYCRR Part 500 (“Part 500”).

Keypoint: The Texas Attorney General reaches a first-of-its-kind settlement with a healthcare company that provides generative AI products. 

On September 18, 2024, the Texas Attorney General announced that it had reached a settlement with a Dallas-based artificial intelligence healthcare company. The Attorney General’s press release represents that it is a first-of-its-kind settlement, resolving allegations that the company deployed its artificial intelligence (“AI”) products at Texas hospitals while making false and misleading statements about the safety of its products. 

Keypoint: Companies onboarding AI products and services need to understand the potential risks associated with these products and implement contractual provisions to manage them.

With the rapid emergence of artificial intelligence (AI) products and services, companies using these products and services need to negotiate contractual provisions that adequately address the unique issues they present. However, given that this area is new and rapidly emerging, companies may not appreciate that the use of AI may raise unique contractual issues. Even if companies do realize it, they may not know what those provisions should state. In addition, many AI-related contractual terms are complicated and confusing, oftentimes containing new terms and definitions that companies are unfamiliar with handling. 

In the below article, we identify key considerations when reviewing or preparing AI-related contracts. Although there may be other considerations depending on the specific use case, the below considerations should provide the reader with a useful starting point for how to address this issue.

Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.

In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:

  • Rebalancing the responsibility to defend cyberspace; and
  • Realigning incentives towards long-term investments to reward security and resilience.

This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.

Key Point: The decision making processes to determine whether a cybersecurity incident is material or not, should include documenting the factors behind each determination and should be practiced before an incident occurs.

In Parts I and II of this blog series, we discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures and offered registrants suggestions for preparing the new disclosure required in their annual reports. In Part III, we offer planning suggestions for determining whether a cybersecurity incident is material and needs to be disclosed on a Current Report on Form 8-K, or whether the incident is not material.

Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.

Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.   

In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.

To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.

Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.