On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 National Exam Program Examination Priorities (2018 Exam Priorities) and, once again, identified cybersecurity as one of its main areas of focus. According to OCIE, each of its examination programs will prioritize cybersecurity. The 2018 Exam Priorities include five main focus areas: (1) cybersecurity; (2) compliance and risks in critical market infrastructure; (3) matters of importance to retail investors, including seniors and those saving for retirement; (4) oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB); and (5) anti-money laundering programs. For an in-depth discussion regarding the entirety of the 2018 Exam Priorities, see Sidley’s previous analysis here. (more…)
On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
*This article first appeared in Law360 on December 18, 2017.
For well over a year, defense contractors have had New Year’s Eve 2017 circled on their calendars, and not because they love the “auld lang syne” and a good glass of champagne. (Or at least not only for those reasons.) Dec. 31, 2017, is the deadline for when covered contractors must comply with the U.S. Department of Defense’s new Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements. This holiday season contractors are thus making their lists and checking them twice in order to ensure that they will be compliant by the end of the year. And this intense focus is well warranted. The DOD is deeply committed to protecting its information, and the requirements are an important step in that regard.
But for all of the focus on Dec. 31, contractors must also remember that the focus on compliance must remain into the New Year — and beyond. New technologies will emerge. Contractors will buy new systems and hire new employees. And all the while, internal security teams will be trying to stay a step ahead of hackers and “white hat” security researchers. In short, despite contractors’ best efforts, gaps may be identified at any time. Moreover, these gaps may carry with them real consequences — not only the possibility of contract termination, but also the risk of costly and disruptive False Claims Act investigations and lawsuits, with the specter of treble damages, and the possibility of suspension and debarment, lurking. It is thus crucial that contractors continue to be vigilant about the regulations, and take steps to enable them to demonstrate their vigilance and compliance, in order to best position themselves to avoid liability.
On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries. The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment. For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage). The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level. (more…)
With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication. Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security. The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience. (more…)
On September 22, 2017, Illinois Governor Bruce Rauner vetoed the proposed Geolocation Privacy Protection Act, which sought to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. The General Assembly originally passed the bill on June 27, 2017. (For more background on the bill, see Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill (July 5, 2017)). (more…)
Governor John Carney signed Delaware’s updated breach notification law on August 17, 2017. The revised law, which will come into force on April 14, 2018, includes key changes to the definition of personal information, introduces credit monitoring obligations, and heightens notice requirements. The law will also create new general information security requirements. (more…)