Paul Hastings Hosts Cybersecurity Law Updates Panel at Privacy+Security Forum

On October 23, 2024, Paul Hastings hosted the Cybersecurity Law Workshop at this fall’s Privacy+Security Forum with a panel on Cybersecurity Law Updates.

The panel was moderated by Paul Hastings associate Dave Coogan, and featured panelists Rachael Pashkevich Koontz (Associate Gen. Counsel, Cybersecurity & Data Protection, Booz Allen Hamilton), Ben Kastan (Senior Counsel, Data Protection & Cybersecurity, Visa), Matthew Greenberg (Senior Lead Counsel, Cybersecurity, Wells Fargo), and Brandon Pugh (Policy Director and Resident Senior Fellow, Cybersecurity and Emerging Threats, R Street).

The past year saw significant cybersecurity law updates. Here are some key takeaways from the panel:

Increasing Complexity and Lack of Harmonization

The panelists observed that new U.S. federal regulator requirements that took effect over the past year have increased the complexity for companies. Examples of new requirements include the Federal Trade Commission’s Gramm-Leach-Bliley Act Breach notice Rule and the Health Breach Notification Rule. Additional reporting requirements are on the horizon including the pending Cyber Incident Reporting for Critical Infrastructure Act Reporting Requirements. While the Office of the National Cyber Director issued a report earlier this year on harmonization of regulatory reporting requirements for cybersecurity, the new reporting requirements are an indication of the increasing complexity.

SEC Form 8-K

Public companies are now required to report material cybersecurity incidents to the SEC via the Form 8-K. While companies need to be mindful of underreporting, panelists noted a recent trend in overreporting, where some companies submit disclosures even when there may not have been a material impact to operations. Additionally, panelists urged companies subject to the disclosure requirement to consider in advance the process for contacting the Federal Bureau of Investigation in the event they want to pursue a disclosure delay for national security reasons.

Ransomware Developments

Panelists also discussed the importance of conducting impact assessments to determine actual impact arising from a ransomware incident, and noted that, as a starting point, affected organizations should not pay any ransom and should have discussions internally as to why that may be the best approach. Companies that have been with the victim of a ransomware attack should conduct internal OFAC checks and work with external counsel to do the same.

State Updates

States have also increasingly addressed cybersecurity. Perhaps most well-known, the NYDFS Cybersecurity Regulation Part 500 continues to roll out new requirements. On November 1, 2023, NYDFS announced updates to the Cybersecurity Regulation that recently went into effect, including requirements for “Class A Companies,” which would be held to more stringent requirements. In California, the California Privacy Protection Agency (CPPA) discussed draft cybersecurity regulations, which are on the agenda for the November 2024 CPPA meeting. The regulations would require cybersecurity audits and risk assessments, among other requirements.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this fall’s Forum, which took place from October 23-25 in Washington, D.C.

Our Privacy and Cybersecurity practice regularly advises companies on key issues. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.