Chris Cwalina (US)

Subscribe to all posts by Chris Cwalina (US)

Maybe This Time : Federal Government Proposes the American Data Privacy and Protection Act

On Friday, June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act, (ADPPA), a watershed privacy bill that would introduce a federal standard. Currently, a hodgepodge of industry-specific and state laws make up the backbone of American privacy regulations and rights, so a national framework for privacy … Continue reading

FTC Signals Additional Scrutiny for Data Breaches

By Anna Rudawski (US) and Chris Cwalina (US) on May 25, 2022 Posted in Cybersecurity, Data breach, Privacy law, Ransomware, Regulatory response

On May 20, 2022, the Federal Trade Commission (FTC) stated that failure to disclose a data breach may be a violation of Section 5 of the FTC Act. Historically, the FTC has not been explicit about its notification expectations, but in blog post published by the FTC’s CTO and Division of Privacy and Identity Protection, … Continue reading

New PCI DSS v4.0 – Flexibility added

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 16, 2022 Posted in Cybersecurity

On March 31, 2022, the PCI Security Standards Council released the new version of the Payment Card Industry Data Security Standards (version 4.0), which represents an update almost four years in the making. In addition to some clarifications and rearrangements, the new PCI DSS 4.0 includes 51 new requirements for all entities, and 13 new … Continue reading

Congress Agrees – 72-Hour Cyber Incident Reporting Requirement to Take Effect

By Chris Cwalina (US), Ashley Zatloukal (US), Anna Rudawski (US), Will Daugherty (US) and Alexis Wilpon (US) on March 16, 2022 Posted in Cybersecurity, Data breach, Ransomware

On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments. The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks … Continue reading

Who gets to decide to pay the ransom in a ransomware attack?

By Chris Cwalina (US), Kevin J. Harnisch (US), Ilana Beth Sinkin (US) and Ashley Zatloukal (US) on January 18, 2022 Posted in Cybersecurity, Data breach, Ransomware

The onslaught of ransomware attacks since the pandemic began has not slowed. Organizations have been faced with the task of continuously reviewing their cybersecurity programs to ensure they are following best practices to protect against ransomware groups. But organizations also need to be prepared to respond to such an attack if their cybersecurity practices are … Continue reading

Cyber authorities sound the alarm on critical vulnerability In Java Library

By David Kitchen (US), Chris Cwalina (US), Anna Rudawski (US), David Kessler (US) and Will Daugherty (US) on December 13, 2021 Posted in Cybercrime, Cybersecurity, Ransomware, Vendor management and transactions

On December 9, 2021 a critical vulnerability (CVE-2021-44228) was reported within the Apache Log4j Java logging framework. The vulnerability allows threat actors to remotely execute code on both on-premises and cloud-based application servers, thereby obtaining control of the impacted servers. This is a critical vulnerability of very high significance to government and industry groups. See … Continue reading

OFAC Announces New Measures to Address Ransomware Attacks

By Chris Cwalina (US), Ashley Zatloukal (US) and Stefan H. Reisinger (US) on September 21, 2021 Posted in Cybercrime, Cybersecurity, Ransomware

The U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) implemented additional measures today to combat the growing ransomware problem. OFAC’s measures consist of: (1) the designation of the entire SUEX OTC, S.R.O. (“SUEX”) crypto-currency exchange (SUEX) to the SDN List; (2) designating a fairly large number (~25) additional digital currency addresses to the … Continue reading

US SEC announces three actions charging firms for cybersecurity deficiencies

By Kevin J. Harnisch (US), Chris Cwalina (US), Will Daugherty (US), Ashley Zatloukal (US) and Matthew Niss (US) on September 15, 2021 Posted in Cybersecurity, Enforcement

The SEC announced enforcement actions against three sets of advisers for alleged failures in cybersecurity policies that violate the Safeguards Rule.… Continue reading

Another One Bites the Dust: Court once again finds data breach forensic report isn’t protected by privilege

By Chris Cwalina (US), Ashley Zatloukal (US) and Anna Rudawski (US) on July 27, 2021 Posted in Cybercrime, Cybersecurity, Data breach, Vendor management and transactions

On July 22, 2021, a federal court in Pennsylvania held that an investigative report created by Kroll (the “Kroll Report”), the defendant’s third party cybersecurity consultant, and related communications were not protected by privilege. The court found that the Kroll Report was not protected by the work-product doctrine or attorney-client privilege. The decision comes after … Continue reading

President Biden’s Executive Order on improving the nation’s cybersecurity

By Chris Cwalina (US), Will Daugherty (US) and Susan Ross (US) on May 19, 2021 Posted in Cybersecurity

On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector. The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. The Executive Order also … Continue reading

CCPA: “Wait and see” is not the right approach

By Chris Cwalina (US), David Kessler (US), Steve Roosa (US), Jeewon Kim Serrato (US) and Susan Ross (US) on August 29, 2019 Posted in CCPA, Compliance and risk management

We are seeing companies use many different approaches to the California Consumer Privacy Act (“CCPA”) compliance, but the “wait and see” approach in particular is not advisable. Companies who want to “wait and see” point to the pending amendments to CCPA that are currently working through the California Senate (as we have previously described—see links … Continue reading

Cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on July 29, 2019 Posted in General

We are pleased to report that Norton Rose Fulbright has been shortlisted for cyber law firm of the year at the 2019 Insurance Insider Cyber Rankings Awards.… Continue reading

Nine States Pass New And Expanded Data Breach Notification Laws

By Chris Cwalina (US), Jeewon Kim Serrato (US), Anna Rudawski (US) and Alexis Wilpon (US) on June 27, 2019 Posted in Data breach

In the absence of federal action, states have been actively passing new and expanded requirements for privacy and cybersecurity (see some examples here and here). While laws like the California Consumer Privacy Act (CCPA) are getting all the attention, many states are actively amending their breach notification laws. Illinois, Maine, Maryland, Massachusetts, New Jersey, New … Continue reading

California Consumer Privacy Act: Disclosure requirements

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on September 11, 2018 Posted in CCPA

This is the Data Protection Report’s fourth blog posts in a series of CCPA blog posts that will break down the major elements of the CCPA, which will culminate in a webinar on the CCPA in October. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA. The California Consumer Privacy … Continue reading

Norton Rose Fulbright – cyber law firm of the year nomination

By Chris Cwalina (US), Ffion Flockhart (UK) and Steven Hadwin (UK) on August 29, 2018 Posted in General

We are grateful to our clients and industry contacts for nominating us as cyber law firm of the year at the 2018 Insurance Insider Cyber Rankings Awards. The winner will be determined from the results of a wide-ranging survey of insurers and brokers and will be announced on September 21, 2018.… Continue reading

California Consumer Privacy Act: GDPR-like definition of personal information

By Chris Cwalina (US), Jeewon Kim Serrato (US), Steve Roosa (US) and Tristan Coughlin* (US) on August 27, 2018 Posted in CCPA

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information … Continue reading

The European Parliament asks for the suspension of the privacy shield

By Chris Cwalina (US), Jeewon Kim Serrato (US), Susan Ross (US) and Tristan Coughlin* (US) on July 17, 2018 Posted in Regulatory response

On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while … Continue reading

US states pass data protection laws on the heels of the GDPR

By Jeewon Kim Serrato (US), Chris Cwalina (US), Anna Rudawski (US), Tristan Coughlin* (US) and Katey Fardelmann (US) on July 9, 2018 Posted in Compliance and risk management, Regulatory response

Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with … Continue reading