Photo of Erik Dullea

Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Follow:Read more about Erik DulleaErik's Linkedin Profile

Key Point: Drafting the material cybersecurity risks disclosures in registrants’ annual reports will require careful planning to avoid giving malicious cyber actors a blueprint of the corporate network.

Part I of this blog series discussed the compliance dates and the new definitions in the U.S. Securities Exchange Commission’s (the “SEC”) final rules (the “adopting release”) for cybersecurity disclosures. In Part II, we offer ideas for preparing the disclosure required in the registrant’s annual report about the registrant’s material cybersecurity risks and the governance structure used to assess and manage these risks.

Key Point: To avoid inadvertently increasing enforcement and litigation risks, companies should consider these suggestions to minimize headaches with the SEC’s final rules that mandate (a) disclosures in annual report of corporate procedures to address material risks from cybersecurity threats, and (b) the filing of a Form 8-K disclosure within four business days after determining a material cybersecurity incident occurred.   

In a 3-2 vote on July 26, 2023, the U.S. Securities Exchange Commission (the “SEC”) adopted new cyber incident disclosure rules for publicly traded companies (“registrants”). Although the final rules (the “adopting release”) impose similar disclosure requirements on foreign private issuers, this article focuses on domestic issuers. The SEC intends for the new rules to enhance and standardize registrants’ cybersecurity risk management, strategy, governance, and incident response disclosures, thereby giving investors access to better information. However, there is a strong possibility that the final rules will cause companies to file cautionary disclosures, forcing investors to sift through more noise to find meaningful information.

To minimize the risk of SEC enforcement actions and litigation, registrants must develop plans and procedures for (1) updating the disclosure in their annual reports and (2) determining whether a cybersecurity incident affecting the organization is material or not.

Part I of this series discusses the compliance dates and the SEC’s new definitions pertaining to cybersecurity. Parts II and III will offer suggestions for making disclosures in annual reports and material cybersecurity incidents, respectively.

Keypoint: President Biden shows a strong preference for the cybersecurity expertise of former National Security Agency (NSA) leaders with his choices for significant cyber roles within his administration.

On April 12, 2021, the White House announced that President Biden selected two individuals to join his administration in the area of cybersecurity. Mr. Chris Inglis is nominated to be the first national cyber director, and Ms. Jen Easterly is nominated to serve as the new director of the Cybersecurity and Infrastructure Security Agency (CISA). Both positions require confirmation by the U.S. Senate.

Keypoint: New Utah law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security.

Health Insurance Portability and accountability act HIPAA and stethoscopeAs an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that

Keypoint: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.

creditcards1iStock_000036595886_Large

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Key Point: California AG Becerra’s investigation into security flaws in the Glow fertility app results in a settlement agreement that resembles recent enforcement agreements in New York but is also unique in requiring the app’s developer to consider gender-specific concerns within its privacy-by-design principles.

“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” according to California’s Attorney General Becerra. The consequences of not having the appropriate data protections? It means “a digital disclosure of your private medical records is instantaneously and eternally available to the world” per Becerra.

For these reasons, especially in the new era of telemedicine, developers of medical applications (health app) understand that consumers’ privacy and security must be protected. “Excuses are not an option,” Becerra warns. California’s settlement agreement with Upward Labs Holdings, Inc. (Upward Labs) and its subsidiary Glow, Inc. (Glow), is an example that Becerra’s warning should not be ignored.