On September 22, 2022, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) regarding Incentives for Advanced Cybersecurity Investment, requesting comment on proposed revisions to regulations implementing the Federal Power Act (FPA). The revisions would provide incentive-based rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities for certain voluntary cybersecurity investments. The NOPR was issued in response to a Congressional mandate set forth in the Infrastructure Investment and Jobs Act of 2021, which directed FERC to establish cybersecurity incentives that would encourage investments by utilities in advanced cybersecurity technology and participation in cybersecurity threat information sharing programs. This NOPR replaces a prior cybersecurity incentives NOPR from December 2020.

Critical Infrastructure; Cybersecurity; Energy; National Security; Policy; Uncategorized

Meru Data Podcast Features Sidley Associate Lauren Kitces

Sep 21 2022

Lauren Kitces

Sidley associate Lauren Kitces was featured on Simplify For Success, a podcast series presented by Meru Data and hosted by Priya Keshav. Lauren discussed FTC’s proposed rulemaking regarding data privacy and data security, and shared her thoughts on how to prepare for the FTC enforcement.

Enforcement; FTC; Policy; Regulation

FTC Defends Expansive Privacy and Data Security ANPR at Public Forum

Sep 20 2022

Colleen Theresa Brown, Petra LaFountain, Nayef Andrabi and Matthew J. Kahn

The FTC continues its defense of the wide-reaching Advance Notice of Proposed Rulemaking (ANPR) on “Commercial Surveillance and Data Security” that the Commission, by a 3-2 vote, issued in August. (See the supporting statements of Chair Lina Khan and Commissioners Rebecca Slaughter, and Alvaro Bedoya, and the dissenting statements of Commissioners Christine Wilson and Noah Phillips.)

On Thursday, September 8, the FTC hosted a public forum on the notice, featuring remarks by Chair Khan, Commissioner Bedoya, and panels featuring guests representing industry and consumer interests.

Cybersecurity; Enforcement; FTC; Information Security; Online Privacy; Policy

The California Age-Appropriate Design Code Act Dramatically Expands Business Obligations

Sep 19 2022

Colleen Theresa Brown, Ash Nagdev, Sheri Porath Rockwell and Nayef Andrabi

On September 2, 2022, the California Age-Appropriate Design Code Act (the “Act”) (effective July 1, 2024) was passed by the California legislature, and on September 15, 2022 was signed into law by Governor Newsom. This Act dramatically expands business obligations and will force entities that provide an online service, product, or feature that is “likely to be accessed by children” (“Product”) to implement stringent privacy settings for users under 18. It aligns in many respects with the United Kingdom’s Age Appropriate Design Code, which passed in 2020. Together, these laws represent a significant shift in the regulatory landscape of children’s digital services.

The overarching policy of the Act is to require such entities to prioritize the best interests of children when developing and implementing their services. The Act implements this policy through a number of stringent requirements, including using language in privacy notices that is age-appropriate, undertaking physical and mental well-being impact assessments for existing and new products and services, and implementing stringent requirements on such entities use of the data as a default.

Children’s Privacy; Online Privacy; Policy; U.S. State Law

Regulatory Update: NAIC Summer 2022 National Meeting

Sep 07 2022

Stephanie H. Dobecki, Ellen M. Dunn, Andrew Holland, Michael L. Rosenfield, Chris Burusco and Sara N. Africano

The National Association of Insurance Commissioners (NAIC) held its Summer 2022 National Meeting (Summer Meeting) August 9–13, 2022. This post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include a proposal for a new consumer privacy protections model law, continued discussion of considerations related to private equity ownership of insurers, continued development of accounting principles and investment limitations related to certain types of bonds and structured securities, and initiatives to address climate risks in the insurance sector.

Insurance; Legislation; Policy; State Privacy Laws

Big California Privacy News: Legislative and Enforcement Updates

Sep 06 2022

Colleen Theresa Brown, Sheri Porath Rockwell and Amy Lally

Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country. For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources. The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law.

Employee Privacy; Legislation; Online Privacy; Policy; U.S. State Law

‘Cyclops Blink’ Shows Why the SEC’s Proposed Cybersecurity Disclosure Rule Could Undermine the Nation’s Cybersecurity

Aug 30 2022

Sasha P. Hondagneu-Messner, Alan Raul and Stephen McInerney

**This article originally appeared on Lawfare

As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.

View Article

Cybersecurity; Policy; SEC

FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking

Aug 25 2022

Colleen Theresa Brown and Lauren Kitces

On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices. The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive. The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements. Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements. The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.

Cybersecurity; Data Breaches; Enforcement; FTC; Information Security; Online Privacy; Policy; Regulatory

1 2 3 … 101 Next ›

U.S. FERC Proposes Revisions to Cybersecurity Incentives for Utilities

Meru Data Podcast Features Sidley Associate Lauren Kitces

FTC Defends Expansive Privacy and Data Security ANPR at Public Forum

The California Age-Appropriate Design Code Act Dramatically Expands Business Obligations

Regulatory Update: NAIC Summer 2022 National Meeting

Big California Privacy News: Legislative and Enforcement Updates

‘Cyclops Blink’ Shows Why the SEC’s Proposed Cybersecurity Disclosure Rule Could Undermine the Nation’s Cybersecurity

FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking

Categories

Archives

Contacts

Upcoming Events

Unpacking New Digital Data Laws Across Europe: Addressing the Digital Markets Act

Women in Privacy