Cyber Legal Intelligence
Live regulatory actions, enforcement decisions, new legislation, and court rulings
DORA Becomes Applicable — EU Financial Sector Enters New Compliance Era
The Digital Operational Resilience Act (DORA) became applicable on January 17, 2025, requiring EU financial entities to comply with comprehensive ICT risk management, incident reporting, resilience testing, and third-party risk management requirements.
HIPAA Security Rule Proposed Update — HHS Proposes Mandatory Encryption and Enhanced Requirements
HHS proposed significant updates to the HIPAA Security Rule in January 2025, including mandatory encryption of ePHI (removing the "addressable" designation), mandatory MFA, enhanced audit controls, and network segmentation requirements.
EU Cyber Resilience Act Enters into Force
The EU Cyber Resilience Act (CRA) entered into force on December 11, 2024, establishing mandatory cybersecurity requirements for products with digital elements sold in the EU market.
Australia Passes Cyber Security Act 2024 — New Obligations for Ransomware Reporting
Australia enacted the Cyber Security Act 2024, introducing mandatory ransomware payment reporting, minimum cybersecurity standards for smart devices, and enhanced powers for the Australian Signals Directorate.
NIS2 Directive Transposition Deadline Passed — Member State Implementation Status
The October 17, 2024 deadline for EU member states to transpose NIS2 into national law passed with several member states failing to meet the deadline. The European Commission has initiated infringement proceedings against non-compliant states.
Singapore CSA Publishes Cybersecurity (Amendment) Act 2024 Implementation Guidelines
The Cyber Security Agency of Singapore published implementation guidelines for the Cybersecurity (Amendment) Act 2024, which expanded the Cybersecurity Act to cover systems of temporary cybersecurity concern, major cybersecurity incidents, and foundational digital infrastructure providers.
FTC Safeguards Rule — 30-Day Breach Notification Requirement Takes Effect
The FTC's updated Safeguards Rule breach notification requirement took effect, requiring non-bank financial institutions to notify the FTC within 30 days of discovering a security breach affecting 500 or more customers.
CIRCIA NPRM Published — CISA Proposes Comprehensive Cyber Incident Reporting Framework
CISA published its Notice of Proposed Rulemaking for CIRCIA on April 4, 2024, proposing definitions of covered entities, covered cyber incidents, and reporting procedures for the mandatory cyber incident reporting regime.
SEC Charges SolarWinds and CISO with Fraud and Internal Controls Failures
The SEC charged SolarWinds Corporation and its Chief Information Security Officer Timothy Brown with fraud and internal controls failures for allegedly misleading investors about cybersecurity practices before and after the 2020 SUNBURST cyberattack.
CERT-In Issues Updated Directions on Cybersecurity Incident Reporting for Cloud Service Providers
India's CERT-In issued clarifications and updated guidance on cybersecurity incident reporting obligations for cloud service providers, virtual private network providers, and virtual asset service providers under the 2022 Directions.
NYDFS Issues $35M Penalty Against First American Title Insurance for 2019 Data Exposure
The New York Department of Financial Services (NYDFS) imposed a $35 million penalty against First American Title Insurance Company for exposing 885 million sensitive documents through a website vulnerability. This is one of the largest NYDFS cybersecurity enforcement actions to date.
FTC Finalizes Order Against Drizly and CEO for Data Security Failures
The FTC finalized an order against Drizly LLC and its CEO James Cory Rellas for data security failures that exposed personal information of approximately 2.5 million consumers. Notably, the order imposed personal obligations on the CEO.