Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks.  Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.…

Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect July 1, 2023. This is six months after Virginia’s law (CDPA) and California’s Privacy Rights Act (CPRA), which amends the existing CCPA, go into effect. The law does not have a private right of action, and the AG is to adopt regulations on certain aspects by July 1, 2023.…

The New York State Department of Financial Services recently announced new guidance addressing ransomware attacks, and highlighting cybersecurity measures to significantly reduce the risk of an attack.  The guidance comes as ransomware rates have been increasing, and builds on the post SolarWinds guidance from NYDFS about supply chain management. It was released just prior to the most recent large attack, namely the July 2nd supply-chain ransomware attack centered on the U.S. information technology firm Kaseya.…

The Georgia Supreme Court recently concluded that Georgia’s equivalent of the CFAA should be viewed narrowly, similar to the US Supreme Court’s recent, similar decision in Van Buren. In Kinslow v. State, the Georgia Supreme Court held that even if there is unauthorized use of a computer or computer network, there must be enough evidence to prove that the defendant used the computer network knowingly without authority and with the intention of obstructing or…

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU…

Texas’s data breach notification law was recently amended to require the state’s Attorney General to post notice of data breaches on a public website within 30 days of receiving notice of the data breach. It also requires companies to provide the AG with more information when notifying the AG of a breach.…

MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act,…