Tag Archives: Michael T. Borgia

Commerce Department Proposes Cybersecurity/AI Reporting and “KYC” Requirements for Certain Cloud Providers

by Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely

Photos of authors

Left to right: Robert Stankey, K.C. Halm, Michael T. Borgia, Andrew M. Lewis, and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

IaaS providers would need to verify foreign users’ identities (aka “know your customer”) and report certain AI model training activities under the proposed rules

The U.S. Department of Commerce’s (“Commerce”) Bureau of Industry and Security (“BIS”) has issued a proposed rule (the “Proposed Rule”) that would impose significant diligence, reporting, and recordkeeping requirements on U.S. providers of Infrastructure as a Service (IaaS) and their foreign resellers. IaaS is generally considered to be a cloud computing model that provides users with remote access to servers, storage, networking, and virtualization.

The Proposed Rule would require U.S. IaaS providers to:

  • Implement and maintain a “Customer Identification Program” (CIP), which must include detailed know-your-customer (KYC) procedures for identifying and reporting foreign customers to Commerce; and
  • Report transactions involving foreign persons that “could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.”

Continue reading

DOJ, FBI Issue Guidance for Public Companies Seeking to Delay Disclosure of Material Cybersecurity Incidents

by Michael T. Borgia and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia and Patrick J. Austin (Photos courtesy of Davis Wright Tremaine LLP)

Public companies may only request a delay of the SEC’s disclosure requirements for national security or public safety reasons

As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the “Rule”). The Rule requires, among other things, that public companies disclose “material” cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers). Item 1.05 of Form 8-K must include the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations,” and the form must be filed within four business days of determining that an incident is material. The Rule permits companies to delay disclosure beyond four business days only where the U.S. Attorney General determines that disclosure “would pose a substantial risk to national security or public safety.” The Rule’s cyber incident disclosure requirements go into effect on December 18, 2023.

Continue reading

CISA Releases Revised Draft of Secure Software Development Self-Attestation Form

by Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Once Finalized, the Form will Establish Secure Software Development Baselines for Companies that Provide Software to the Federal Government

The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form (“Form”).  The Form, once finalized, will obligate vendors providing software to the federal government to attest to enumerated practices to secure their software, third-party components, and the development environment.  Software vendors to federal agencies are advised to review the draft Form and assess their current secure development practices—both for in-house and third-party developed software—against the Form’s relevant attestations and the supporting NIST guidance.  Software producers unable to make any of the required attestations should prioritize conforming their software development practices to the Form’s attestations and NIST guidance, and should consider whether to pursue a plan of action and milestones (POA&M) with their federal agency customers once the Form is finalized.

Continue reading

Delaware’s New Personal Data Privacy Act

by Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin

Photos of the authors.

From left to right: Michael T. Borgia, Benjamin Robbins, and Patrick J. Austin. Photos courtesy of Davis Wright Tremaine LLP.

The Delaware Personal Data Privacy Act (DPDPA or Act) became law on September 11, 2023, making Delaware the 13th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Florida, Texas, and Oregon. The DPDPA will become effective on January 1, 2025. We highlight key aspects of the DPDPA below.

Continue reading

Oregon Consumer Privacy Act Signed Into Law

by Nancy Libin, Michael T. Borgia, John D. Seiver, David L. Rice, and Patrick J. Austin

Photos of the authors

Left to right: Nancy Libin, Michael T. Borgia, John D. Seiver, David L. Rice, and Patrick J. Austin (photos courtesy of Davis Wright Tremaine LLP)

Oregon becomes the 12th state with a comprehensive consumer data privacy law

The Oregon Consumer Privacy Act (OCPA) became law on July 18, 2023. Oregon is the twelfth state to enact a comprehensive consumer data privacy law, joining CaliforniaVirginiaColoradoConnecticutUtahIowaIndianaTennesseeMontanaFlorida, and Texas. The OCPA goes into effect July 1, 2024 (the same date as the recently enacted privacy laws in Texas and Florida). The effective date for non-profits—which, unlike under most other state privacy laws, are not exempt under the OCPA—is delayed until July 1, 2025.

Continue reading

SEC Delays Proposed Cybersecurity Rules

by Michael T. Borgia, Alexander Sisto, and Patrick J. Austin

Photos of the authors

From left to right: Michael T. Borgia, Alexander Sisto, and Patrick J. Austin (Photos courtesy of Davis Wright Tremaine LLP)

Proposed rules for public companies, investment advisors, and funds are now expected to be finalized in October 2023 at the earliest

According to its Spring 2023 rulemaking agenda, the U.S. Securities and Exchange Commission (SEC) has delayed issuance of two sets of cybersecurity requirements that previously were expected to be finalized in April 2023. The SEC’s proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and its proposed rule on Cyber Risk Management for Investment Advisers, Registered Investment Companies and Business Development Companies now are scheduled to be finalized by October 2023 at the earliest. 

Three other sets of proposed requirements—amendments to Reg S-P on safeguarding customer information, amendments to Reg SCI on cybersecurity and IT resilience (among other things) for “SCI entities,” and a new Cybersecurity Risk Management Rule for broker-dealers, clearing agencies and other SEC-regulated entities—now are slated for April 2024.

Continue reading

New Washington Law Has Broad Implications For Protecting Consumer Health Data

by Nancy Libin, Adam H. Greene, Rebecca L. Williams, David L. Rice, Michael T. Borgia, John D. Seiver, and Kate Berry

Photos of the authors

Top row from left to rugh: Nancy Libin, Adam H. Greene, Rebecca L. Williams, and David L. Rice.
Bottom row from left to right: Michael T. Borgia, John D. Seiver, and Kate Berry. (Photos courtesy of Davis Wright Tremaine LLP)

Landmark ‘My Health My Data’ Act Reaches Beyond Washington and Into the Courts With a Private Right of Action

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the “Act”), which will regulate the collection, use, and disclosure of “consumer health data” (“Consumer Health Data” or “CHD”). The Act is intended to provide stronger privacy and security protections for health-related information not protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but a significant gap remains. In spite of its title and purported focus on the health information of Washington residents, a careful reading of the Act shows that it will have a much broader reach – both geographically and substantively. Most provisions of the Act come into effect on March 31, 2024, with small businesses required to comply by June 30, 2024. Some sections (e.g., Section 10 prohibition against “geofencing”) do not provide effective dates. It is unclear whether those sections become effective on July 22, 2023, which would be 90 days after the end of the legislative session, as provided under Washington law, or whether failure to include an effective date for all sections of the Act was an oversight.

Continue reading

SEC Settles Ransomware Disclosure Charges for $3 Million

by Michael T. Borgia, Alexander Sisto, and Robertson Park

From left to right: Michael T. Borgia, Robertson Park, and Alexander Sisto. (Photos courtesy of Davis Wright Tremaine LLP)

The U.S. Securities and Exchange Commission (“SEC” or the “Commission”) has ordered Blackbaud, Inc. (“Blackbaud”) to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware attack and failed to maintain adequate disclosure controls related to cybersecurity. The SEC’s March 9, 2023 order and accompanying press release focuses on three allegedly material misstatements: Blackbaud’s failure to correct a statement on its website that the attack did not compromise bank account information or Social Security numbers—even after Blackbaud personnel investigating the attack found clear information to the contrary; the company’s failure to disclose the compromise of that sensitive data in a Form 10-K; and the company’s cybersecurity risk statement in its Form 10-Q characterizing the risk of sensitive data exfiltration as merely hypothetical, despite knowing that exfiltration of unencrypted bank account information, Social Security numbers, and usernames and/or passwords had occurred as a result of the ransomware attack.

Continue reading