Photo of Ericka Johnson

Ericka Johnson

As we reported in a previous blog post, the New York Department of Financial Services (“NYDFS”) proposed a raft of amendments to its landmark Cybersecurity Regulations (the “Regulations”) in 2022 (the “2022 Proposed Amendment”), adding substantial complexity to covered entities’ compliance obligations. Now, less than a year later, the NYDFS has published a proposed revised draft of the 2022 Proposed Amendment (as revised, the “2023 Proposed Amendment”). While not as extensive as the 2022 Proposed Amendment, the 2023 Proposed Amendment will nevertheless have a significant impact on how your organization complies with the Regulations.Continue Reading NYDFS Revises Its Proposed Amendments to Cybersecurity Regulations

Last week, on March 15, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) continued its aggressive push to regulate the cybersecurity of entities in the financial services sector, proposing three rules affecting a variety of SEC-regulated entities, including broker-dealers, investment companies, and investment advisers, as we covered here on Privacy World.  These

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.


On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.  
Continue Reading Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

CPW’s Ericka Johnson and Gicel Tomimbang will be the featured speakers at ISSA (Information Systems Security Association) Los Angeles chapter’s June in-person meeting focused on latest cyber threats to national security.  The Biden administration has identified cybersecurity as a national and economic security focus, and has implemented new regulations, expanded existing authorities, and

Indiana passed HB 1351 in March 2022, amending Indiana’s data breach notification law. Indiana’s breach notification law, as currently drafted, requires entities to notify Indiana residents and the Indiana Attorney General of a breach of the security of data without unreasonable delay and consistent with any measures necessary to determine the scope of the breach

Although data breaches and data breach litigation are not rare, trials concerning the appropriate response to cybersecurity incidents are.  For this reason many, particularly those involved with incident response, have been keeping a close eye on a federal trial underway in Missouri.  The case involved a law firm sued by its former client, an insurance

As covered here at CPW, President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”).  While the Act presents a plethora of issues for litigators and compliance professionals to consider, CPW has identified five key points that businesses should know about the Act:

  1. Many Critical Ambiguities

On March 21, 2022, President Biden warned U.S. companies, particularly those operating in critical infrastructure sectors, that “[b]ased upon evolving intelligence, Russia may be planning a cyberattack against us.”  See details here.  The evolving intelligence appears to be based upon, among other things, a March 18th advisory from the FBI to U.S.

On March 21, 2022, President Biden publicly recognized that, while his Administration is prioritizing modernizing the federal government’s cybersecurity practices, it is the patriotic obligation of the private sector to invest as much as it can in preparing for cyberattacks.

Over the course of the past month, media images of the war in Ukraine show


President Biden has recently delivered on a long stated priority of his presidency: requiring the disclosure of cyber security incidents for companies that operate critical infrastructure. After announcing an executive order in May 2021 aimed at modernizing the federal government’s cybersecurity practices, the same sweeping changes will now effect private companies that operate critical