For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).
The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.
While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.
On January 28, 2021, the UK Financial Conduct Authority (FCA) published Consultation Paper CP21/3, “Changes to the SCA-RTS and to the guidance in ‘Payment Services and Electronic Money – Our Approach’ and the Perimeter Guidance Manual” (Consultation Paper). This follows the FCA’s announcement in its 2020-21 business plan that payment services were one of its main supervisory priorities1 and its temporary guidance of July 9, 2020, on prudential risk management and safeguarding in light of the COVID-19 pandemic (Temporary COVID Guidance).
The FCA is proposing amendments to:
- the UK onshored versions of EU technical standards on strong customer authentication (SCA) and common and secure methods of communication (UK SCA-RTS);
- its Approach Document on Payment Services and Electronic Money (Approach Document); and
- its Perimeter Guidance Manual (PERG).
On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1
Released on February 1, the Financial Industry Regulatory Authority (FINRA) 2021 Report on its Examination and Risk Monitoring Program (Report) provides a roadmap for member firms to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. The Report replaces two of FINRA’s prior annual publications: (1) the Report on Examination Findings and Observations, which provided an analysis of prior examination results, and (2) the Risk Monitoring and Examination Program Priorities Letter, which highlighted areas FINRA planned to review in the coming year.
Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
On January 19, 2021, the U.S. Department of Commerce (Commerce) issued interim final regulations (interim rules) implementing Executive Order 13873, Executive Order on Securing the Information and Communications Technology Services Supply Chain (EO), which was intended to address alleged threats against information and communications technology and services (ICTS) in the United States. The new review mechanism focuses on transactions involving any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries.”
While the focus on the rules is not foreign investment per se, it will complement the Committee on Foreign Investment in the United States’ (CFIUS) investment security review mechanisms. Indeed, the interim rules borrow several concepts and definitions from CFIUS’s recently amended regulations.
Commerce invited interested parties to submit comments on the interim rules. Parties must submit comments by March 22, 2021. Commerce will publish final regulations after considering any comments submitted.
This post provides key takeaways and a brief summary of Commerce’s new review mechanism.
Taking a step into the digital age, the European Commission announced that the 2020s shall become the EU’s Digital Decade. The EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and covers a wide range of actions and related initiatives.
Building on prior initiatives, in 2019 the Commission announced six key priorities (since supplemented by the COVID-19 recovery plan) that would shape the coming five years of policy making. One of these six key priorities is to create a Europe fit for the digital age and work on a digital strategy that will empower people with a new generation of technologies.
This Sidley Practice Note highlights certain key disclosure considerations for preparing your annual report on Form 10-K for fiscal year 2020, including recent amendments to U.S. Securities and Exchange Commission (SEC) disclosure rules and other developments that will affect 2020 Form 10-K filings as well as certain significant disclosure trends and current areas of SEC staff focus for disclosures. Appendix A to this Practice Note sets forth a summary checklist of significant Regulation S-K amendments affecting 2020 Form 10-K filings, which are discussed in further detail. As always, we invite you to contact us with any questions on these topics or any other SEC reporting and compliance matters.
On January 5, 2021, President Donald Trump signed Executive Order (EO) 13971, banning certain transactions and activities with persons who “develop or control” eight Chinese “connected software applications,”1 specifically Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office. The prohibitions will come into effect 45 days after the issuance of the order, that is, February 19.
On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPR) regarding a proposal to impose on banks1 and money service businesses (MSBs) new recordkeeping, reporting, and identity verification requirements in relation to certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (legal tender digital assets or LTDA)2 if the counterparty to the transaction does not have an account with, including a digital asset wallet hosted by, a financial institution regulated under the U.S. Bank Secrecy Act (BSA) or certain foreign financial institutions not located in designated problematic jurisdictions. If adopted, the proposed rule will impose significant new burdens only on banks and MSBs involved in digital asset businesses and undercut the role of U.S. institutions in digital asset economies, including in the growing area of “decentralized finance.” The NPR proposes to exclude broker-dealers, futures commission merchants, and mutual funds, among others that are subject to the BSA from these new reporting requirements, but specifically requests the industry’s comment on whether these types of institutions should also be included within the scope of the rule.
Affected institutions will have very limited time to assess and comment on the NPR, as the comment period closes on January 4, 2021, notwithstanding two intervening federal holidays.