On November 16, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) published two “Playbooks” to strategize and conduct “cybersecurity vulnerability and incident response activity.”

On August 27, 2021, Governor Pritzker of Illinois signed into law HB 2553, which was intended to establish parameters on the collection and use of household electronic data by law enforcement, effective January 1, 2022.

On November 2, 2021, U.S. Senators Marco Rubio and Raphael Warnock introduced Senate Bill 3130, the Protecting Sensitive Personal Data Act (the “Act”), which aims to “expand the transactions for which declarations may be required by the Committee on Foreign Investment in the United States to include investments in United States businesses that maintain or collect sensitive personal data.”

On November 1, 2021, Kansas attorney general ordered three national companies to pay fines totaling nearly $500,000 for the alleged unlawful disposal of business records that they manage containing consumers’ personal information. These companies allegedly violated the Kansas Consumer Protection Act and the Wayne Owen Act—a Kansas law governing identity theft and fraud.

In March of 2021, one of the largest Chicago-based insurance agencies, CAN, suffered a cybersecurity attack that all business owners should be aware of.

On November 3, the U.S. House Financial Services Subcommittee on Consumer Protection and Financial Institutions (the “Subcommittee”) held a live hearing titled “Cyber Threats, Consumer Data, and the Financial System.”

On October 27, 2021, the Federal Trade Commission (FTC) issued warnings to companies that they had identified two new hacking tricks involving fake IRS emails and Google Voice scams.

On November 1, 2021, the FBI issued a Private Industry Notification, warning companies that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, Reducing the Significant Risk of Known Exploited Vulnerabilities, to act as “a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguarding federal information and information system.”

On October 22, 2021, the New York Department of Financial Services issued guidance regarding the adoption of an affiliate’s cybersecurity program. This guidance is intended to apply to all entities regulated by the DFS.

On October 29, 2021, the U.S. Securities and Exchange Commission (SEC) Commissioner Elad L. Roisman described potential rulemakings by the SEC on cybersecurity, and provided recommended measures companies can utilize to prevent cyberattacks, even in the absence of regulatory action.

On October 27, The Federal Trade Commission (FTC) issued a Final Rule that amended the Standards for Safeguarding Customer Information, known as “the Safeguards Rule,” under the Gramm-Leach-Bliley Act. The amendment contains five main modifications to the existing Rule.

In this case, a retail company, Landry’s, (plaintiff) contracted with Paymentech, LLC (Paymentech) to process customer credit card transactions at their many retail locations. When malware infected Landry’s payment processing devices, the names, card numbers, expiration dates, and internal verification codes of multiple credit card company’s customers were compromised.

In 2021, several states have implemented new policies or amendments to existing policies regarding consumer’s privacy rights. Although Texas has yet to pass any similar amendments, your organization should review these legislative changes for the purpose of doing business with these states and to apprise yourself of potential changes in the sector.

On October 15, 2021, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued its “Sanctions Compliance Guidance for the Virtual Currency Industry” (“Guidance”) to identify their sanction requirements and to provide the virtual currency industry — which includes technology companies, exchanges, miners, wallet providers, service providers and users — and traditional financial institutions with best practices in how to structure their compliance programs to avoid potential violations and enforcement actions.

In recent months, we have seen a dramatic increase in the interest of regulators, government agencies, and legislators in matters of cybersecurity and data governance. Attached is a discussion of recent agency guidance, proposed legislation, and policy statements pertaining to cybersecurity and how they may affect your organization.