Photo of Michael Vatis

Michael Vatis has spent most of his career addressing cutting edge issues at the intersection of law, policy, and technology. Michael's practice focuses on Internet, e-commerce, and technology matters, providing legal advice and strategic counsel on matters involving privacy, security, encryption, intelligence, law enforcement, Internet gambling, and international regulation of Internet content.

Ransomware attacks have been soaring in frequency and severity, affecting companies, government agencies, and nonprofits and leading to larger and larger ransom demands as a condition for unlocking the victim’s information systems. On June 30, 2021, the New York State Department of Financial Services (NYDFS) issued guidance on how potential victims can minimize the risk

On July 7, 2021, Gov. Jared Polis signed into law the Colorado Privacy Act (CPA), which will go into effect on July 1, 2023. Like California’s and Virginia’s data privacy laws, the CPA aims to provide consumers with greater control over their data and enhanced transparency with respect to how their data is used. However,

Just as retail stores, bars, restaurants, and entertainment venues in New York City have been authorized to relax COVID restrictions, they will soon have to confront a new set of requirements—this time focused on their collection of customers’ biometric information. On July 9, 2021, New York City’s new law addressing the collection and use of

President Bill Clinton earned lasting notoriety for his explanation of why his statement denying a relationship with Monica Lewinsky was truthful (“it depends on what the meaning of the word ‘is’ is”). It is doubtful Justice Amy Coney Barrett’s majority opinion for the Supreme Court last week in Van Buren v. U.S. will earn as

On May 12, 2021, President Biden signed a landmark Executive Order to improve and modernize the federal government’s cybersecurity infrastructure. The Executive Order comes in the wake of numerous cyber incidents targeting the United States, including the so-called SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. The Executive Order will directly affect government contractors, including companies

On February 4, 2021, the New York State Department of Financial Services (NYDFS) released a Cyber Insurance Risk Framework (the Framework) to assist property and casualty insurers in managing their cyber insurance risk. The Framework comes on the heels of an increased demand for cyber insurance coverage from businesses to protect against the growing and ever-changing threat posed by cyberattacks.

To help issuers effectively manage the increased risk associated with issuing cyber insurance policies, the Framework recommends that insurers adopt seven “best practices,” which are discussed in this post.

Continue Reading New York Adopts Cybersecurity Framework for Insurers

On January 29, 2021 and February 3, 2021, respectively, the Virginia House of Delegates and Virginia Senate passed the Virginia Consumer Data Protection Act (VCDPA). The legislation, if signed into law by the governor, would be the first comprehensive privacy law enacted by a state since California enacted the California Consumer Privacy Act (CCPA) and, more recently, the California Privacy Rights Act (CPRA). Though the VCDPA is not slated to take effect until January 1, 2023, it will be important for companies to understand the complicated provisions of the VCDPA much earlier, so they can begin instituting any necessary changes in their internal and public-facing policies and their information practices. The VCDPA’s passage may also spur other states to enact their own privacy laws, which until now have been mired in legislative purgatory.

Some of the more significant aspects of the VCDPA are summarized in this post.

Continue Reading Virginia Poised to Become Second State with Comprehensive Privacy Law

According to media reports, Russian government hackers have penetrated the systems of thousands of companies across a variety of industries, as well numerous US government agencies. Moreover, what has been publicly reported may be only the tip of the iceberg in terms of both the scope of the attacks’ victims and the attackers’ methodologies. The most recent reporting also suggests that victim companies are not just those that would be of obvious interest to Russian intelligence services. Accordingly, all companies should assess whether they have been affected by this attack, what steps they need to take to remediate those effects, and what legal and contractual obligations they may have to notify government agencies, business partners, customers, and individuals.
Continue Reading The Urgent Need to Assess and Respond to Russian Supply Chain Attacks

For over two years businesses have spent considerable energy preparing for and complying with the California Consumer Privacy Act (CCPA). Businesses now have more work to do after California voters overwhelmingly approved Proposition 24, the California Privacy Rights Act (CPRA), which completely reshapes and overhauls the CCPA. Fortunately, most of the CPRA’s changes, including those