On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act

Anna Rudawski (US)
CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline
On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency. They also shared their projected timeline for rulemaking. The California Privacy Protection Agency (CPPA) is the new agency charged with …
Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages
Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information. It’s also one of the most popular class action suits today – hundreds, if not thousands of cases have been filed in recent years – and there is no sign that the litigation is slowing down.
Cyber authorities sound the alarm on critical vulnerability In Java Library
On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers.…
Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege
On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll…
CCPA – Health Research Bill Passes Legislature
Although the bill to amend the California Consumer Privacy Act (CCPA) to extend the so-called “B-to-B” and “employee” exceptions for one more year has garnered many headlines, the California legislature passed a second CCPA amendment (AB 713) that…
Schrems II: The US Perspective and where do we go from here?
Schrems II calls into question all transfers of personal information out of the EU that involve export to a country without an adequacy finding. While this affects countries in every region of the world, it does have particular ramifications for…
Mic Drop: California AG releases long-awaited CCPA Rulemaking
On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).
The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”
Back At The Negotiating Table: CCPA Amendments Debate Continues
In a 12-hour marathon hearing, the California Senate Judiciary Committee on July 9, 2019, debated, struck down, scaled back and put back on the negotiating table key amendments to the California Consumer Privacy Act (“CCPA”).
Read below to find out what happened to the much-anticipated “employee exception” bill, “customer loyalty program” bill, and the bill to remove the toll-free number requirement.
Nine States Pass New And Expanded Data Breach Notification Laws
In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington have all amended their breach notification laws to either expand their definitions of personal information, or to include new reporting requirements.
Below is a roundup of recent and significant changes.