Category: Cybersecurity

NIST Releases New Draft of Artificial Intelligence Risk Management Framework for Comment

Share

The National Institute of Standards and Technology (NIST) has released the second draft of its Artificial Intelligence (AI) Risk Management Framework (RMF) for comment. Comments are due by September 29, 2022.

NIST, part of the U.S. Department of Commerce, helps individuals and businesses of all sizes better understand, manage and reduce their respective “risk footprint.”  Although the NIST AI RMF is a voluntary framework, it has the potential to impact legislation. NIST frameworks have previously served as basis for state and federal regulations, like the 2017 New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500).

The AI RMF was designed and is intended for voluntary use to address potential risks in “the design, development, use and evaluation of AI products, services and systems.” NIST envisions the AI RMF to be a “living document” that will be updated regularly as technology and approaches to AI reliability to evolve and change over time.

Continue reading “NIST Releases New Draft of Artificial Intelligence Risk Management Framework for Comment”

Court of Justice of the European Union Recognizes Inferred Special Categories of Personal Data

Share

On August 1, 2022, the Court of Justice of the European Union (CJEU) issued an opinion regarding a Lithuanian data protection case that may signal an expansion of interpretation of the definition of sensitive personal data under the EU’s General Data Protection Regulation (GDPR). Specifically, the CJEU found that data indirectly disclosing sexual orientation constitutes sensitive personal data.

At issue was a Lithuanian law that requires the Chief Official Ethics Commission of Lithuania to publish information about the private interests of public officials in an effort to combat corruption. In the facts underlying the case, a Lithuanian official objected to the Chief Official Ethics Commission’s online publication of his private interest information, which included his spouse’s name. The CJEU concluded that the publication of such information was prohibited by the GDPR because it was “liable to disclose indirectly the sexual orientation of a natural person,” a type of special category of personal data generally prohibited from processing under GDPR Article 9 (processing of special categories of personal data) unless certain additional conditions are satisfied such as the data subject’s explicit consent, or that processing is necessary for reasons of substantial public interest.

Continue reading “Court of Justice of the European Union Recognizes Inferred Special Categories of Personal Data”

NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500

Share

On July 29, 2022, the New York Department of Financial Services (NYDFS) published the pre-proposed second amendment to its Cybersecurity Regulations, 23 NYCRR 500 (Part 500), that if adopted, would likely require numerous policy and operational changes. NYDFS sought comments to the pre-proposal through August 18, 2022. Although this amendment has been long-anticipated, the next step will be for NYDFS to formally publish the second amendment.

Effective in 2017, Part 500 was a first-of-its-kind state regulation that created mandatory cybersecurity and risk management regulations for “covered entities.” Part 500 defines Covered Entities as persons operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

Continue reading “NYDFS Releases Pre-Proposed Second Amendment to its Cybersecurity Regulations, 23 NYCRR 500”

What Is the Information Blocking Rule? – Faegre Drinker on Law and Technology Podcast

Share

Want to better understand what the Office of the National Coordinator for Health IT’s (ONC) Information Blocking Rule (IBR) is, how it works and why we need it? In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss sits down with Faegre Drinker partners Jeff Ganiban and Doriann Cain, and associate Alex Eschenroeder to discuss all things IBR.

Expected in September 2022, the final draft of the HHS Office of Inspector General’s (OIG) first IBR enforcement rule is aimed at two of the three actor types defined in the IBR: Health IT Developers of Certified Health IT and Health Information Networks / Health Information Exchanges. Under the Cures Act, each IBR violation by a Health IT Developer of Certified Health IT or Health Information Network / Health Information Exchange would be subject to penalties of up to $1 million. The expected rule will establish how the OIG intends to assess and enforce these penalties. (Unfortunately, there is still no guidance on when we can expect a rule regarding the penalties that will apply to IBR violations by Health Care Providers.)

Continue reading “What Is the Information Blocking Rule? – Faegre Drinker on Law and Technology Podcast”

Discussion on the Dangers of Wire Transfer Fraud Cyberattacks – Faegre Drinker on Law and Technology Podcast

Share

Wire transfer fraud cyberattacks: they cost U.S. businesses billions of dollars each year, but you can take action to minimize your risk. In this episode of the Faegre Drinker on Law and Technology Podcast, host Jason G. Weiss talks with intellectual property Partner Ken Dort about this cyber threat also known as business email compromise attacks. They discuss how wire fraud happens, who’s at risk for these attacks, and the complicated process of recovering losses after hackers hit an organization. Jason and Ken also talk through the steps businesses can take now to reduce their risk of wire fraud down the road. 

Continue reading “Discussion on the Dangers of Wire Transfer Fraud Cyberattacks – Faegre Drinker on Law and Technology Podcast”

Ransomware Payments Become an Even Riskier Choice Amidst the Ever-Growing Sanctions List

Share

In February 2022, Executive Order 14024 highlighted that Russia’s invasion of Ukraine threatened not only Ukraine but also the national security and foreign policy of the United States. Pursuant to this executive order, and in the face of national security concerns, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has instituted extensive sanctions, including both economic and trade sanctions. Also, in response to the national security concerns, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Shields Up notice, urging companies to bolster their cybersecurity to protect themselves against the threat of a cyberattack.

As the conflict between Russia and Ukraine continues, the threat of a cyberattack, specifically ransomware and NotPetya-style attacks, remains top of mind. However, as entities continue to bolster their cybersecurity and protect themselves against these attacks, they should be cognizant of the implications that OFAC sanctions may have in connection with such an attack.

Continue reading “Ransomware Payments Become an Even Riskier Choice Amidst the Ever-Growing Sanctions List”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy