May 15, 2024

CISA’s Proposed Rule for Critical Infrastructure Cyber Incident Reporting: Analysis of Key Provisions

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will likely be the most sweeping cybersecurity incident notification regulation in the United States to date, covering entities of various sizes across many sectors. The U.S. Cybersecurity and Infrastructure Security Agency published its much-anticipated Notice of Proposed Rulemaking (Proposed Rule) last month. In this first installment of a two-part guest article series, Covington & Burling attorneys examine the Proposed Rule’s key provisions, including what entities and incidents are covered, and time, manner and content of reports. Part two will discuss data and records preservation requirements, limited exceptions and enforcement mechanisms. It also will summarize the next steps for the proposed rulemaking and offer practical compliance measures companies can begin to implement now. See the Cybersecurity Law Report’s two-part series on the new era of cyber incident reporting and cybersecurity regulation: “Key Provisions” (Oct. 12, 2022), and “How Companies Should Prepare and Engage” (Oct. 19, 2022).

Applying AI in Information Security

AI is being used both by cyber attackers and for cyber defense tactics alike, creating an arms race to see who can come out ahead. The technology will continue to be integrated into advanced defensive tools. This article, distilling analysis provided by Davis Wright Tremaine partners during a firm presentation, addresses how AI is used by cyber attackers and defenders, as well as how companies can assess, procure and deploy AI as an information security tool. It includes contract considerations for AI-based security tools and best practices for secure and resilient AI systems. See “Key Legal and Business Issues in AI-Related Contracts” (Aug. 9, 2023).

New E.U. Directive Expands Scope of Due Diligence

An E.U. directive passed in 2024 requires many large companies around the world to address human rights and environmental issues in their operational chains, including subsidiaries and contract partners. The Corporate Sustainability Due Diligence Directive (CSDDD) is to become part of Member States’ laws over the coming two years, with a few countries adapting existing statutes that already cover the same concerns. This article explores the implications of the CSDDD for large business entities that have an E.U. dimension to their work and for compliance professionals. See our two-part series: “Making Sense of Evolving Regulations, Recent Enforcement Efforts and Antitrust Claims as to ESG Investing in the U.S. and E.U. (Part One of Two)” (May 10, 2023), and “How to Navigate the Rough Waters and Turning Tides of U.S. States’ Anti-ESG Movement and Europe’s Pro-ESG Measures (Part Two of Two)” (May 31, 2023).

Two Data Privacy and Cybersecurity Litigators Join Mintz in Boston

Mintz has welcomed two new members – Scott Lashway and Chris Lisy – to its data & privacy litigation and investigations practice in Boston. The duo arrives from Manatt, Phelps & Phillips, bringing more than two decades of experience. For commentary from Lashway, see “CCPA Litigation Risks: How to Avoid Claims Under Other Statutes” (Feb. 5, 2020). For insights from Mintz, see our two-part series on location data, “FTC and $391‑Million State AG Case Put Location Data Enforcement on the Map” (Jan. 4, 2023), and “A Sensitive Time for Location Data: Tips to Address New Rules and Vendor Standards” (Jan. 18, 2023).

Buchanan Welcomes Cybersecurity and Data Privacy Counsel in New York

Buchanan Ingersoll & Rooney has announced the arrival of Kurt Sanger as counsel in its cybersecurity and data privacy practice group in New York. Sanger specializes in matters involving cybersecurity, AI, privacy compliance, public policy and government relations. For insights from Buchanan, see our two-part series on lessons and trends from the FTC’s 2017 Privacy and Data Security Update: “Enforcement Actions” (Jan. 31, 2018), and “Workshops and Guidance” (Feb. 14, 2018).