Chris Cwalina (US)

Subscribe to all posts by Chris Cwalina (US)

US SEC charges SolarWinds and its CISO for alleged cybersecurity misstatements and controls failures

On October 30, 2023, the SEC announced charges against SolarWinds and its Chief Information Security Officer Timothy Brown. Read our full analysis at www.nortonrosefulbright.com. Special thanks to Law Clerk Ian Slingsby (Washington, DC) for his assistance in the preparation of this content.… Continue reading

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard.  Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act.  Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

New PCI DSS v4.0 – Flexibility added

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making.  In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

The onslaught of ransomware attacks since the pandemic began has not slowed.  Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups.  But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

OFAC Announces New Measures to Address Ransomware Attacks

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem.  OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the … Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

President Biden’s Executive Order on improving the nation’s cybersecurity

On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector.  The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas.  The Executive Order also … Continue reading

CCPA: “Wait and see” is not the right approach

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable. Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links … Continue reading

Nine States Pass New And Expanded Data Breach Notification Laws

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading

California Consumer Privacy Act: Disclosure requirements

This is the Data Protection Report’s fourth blog posts in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA. The California Consumer Privacy … Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information … Continue reading

The European Parliament asks for the suspension of the privacy shield

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while … Continue reading

US states pass data protection laws on the heels of the GDPR

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here.   Like their European counterparts, these state laws are intended to provide consumers with … Continue reading
LexBlog