Oviett Worthington Wargula Associate

On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment.

A flurry of legislative activity over the past year has brought meaningful changes to a variety of privacy and security provisions in state and federal law. At the state level, as in 2022, we have seen a handful of changes to generally applicable breach notification statutes, along with action on both narrower security provisions and broader omnibus privacy laws.

The Board of the California Privacy Protection Agency held its first meeting since July on Friday, September 8, 2023, and discussed the first public draft of cybersecurity audit regulations and risk assessment regulations. While the CPPA Board expressly announced that the drafts were for board meeting discussion purposes and has not started the formal rulemaking procedures yet, the first public drafts of the regulations provide a roadmap for where the CPPA Board may likely go, and the draft regulations would impose new and detailed compliance requirements.

Critical infrastructure companies should expect substantial new federal cybersecurity requirements based on the National Cybersecurity Strategy that President Biden announced on March 2, 2023. After the Administration announced the Strategy, the EPA released a memorandum addressing cybersecurity in public water systems and TSA released an aviation cybersecurity amendment.

the Transportation Security Administration issued a new security directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads.