FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing
On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule). The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.
FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program
On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.
Digital Health Transformation: A Practical Guide for Life Sciences Companies
In 2022, many if not most pharmaceutical, medical device, and other life sciences companies established strategies to innovate digital health technology complementary to their existing strategic focus. The digital transformation of the life sciences industry is still widely unfolding across the marketplace. In 2023 and beyond, the race is on to launch the next generation of digital health technologies to innovate the delivery of therapies to patients.
EU Publishes New NIS2 Cyber Directive Imposing Liability and Obligations on Senior Management
On 17 January 2023, the new Network and Information Systems Security Directive (“NIS2 Directive”), which is aimed at establishing a minimum level of cybersecurity standards across the EU and is set to replace its predecessor (the NIS or “NIS1 Directive”), entered into force. The new NIS2 Directive aims to further harmonize and strengthen cybersecurity and resilience throughout the EU in response to a continued increase in digitization and rise in cyber (and in particular ransomware) threats – which is estimated to have reached a total cost of €5.5 trillion at the end of 2020 (double the figure of 2015) and continues to rise in the EU and globally notably due to ongoing geopolitical conflicts in Ukraine and Russia. (more…)
Preparing Your 2022 Form 10-K: A Summary of Recent Key Disclosure Developments, Priorities, and Trends
This Sidley Update highlights certain key disclosure considerations for preparing your annual report on Form 10-K for fiscal year 2022, including recent amendments to U.S. Securities and Exchange Commission (SEC) disclosure rules and other developments that impact 2022 Form 10-K filings, as well as certain significant disclosure trends and current areas of SEC focus for disclosures. As always, we invite you to contact us with any questions on these topics or any other SEC reporting and compliance matters.
Broker-Dealers and Investment Advisers Should Double-Check Their “Identity Theft” Programs: SEC Division of Examinations Issues Risk Alert on SEC’s Identity Theft Red Flags Rule, Regulation S-ID
On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
Drizly FTC Order Introduces Significant Minimization, Deletion and Retention Requirements
On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.
HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months. However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear. Now, the Department of Health and Human Services is seeking to provide clarity. (more…)
Developments to Improve the Cybersecurity of Federal Government Agencies, Critical Infrastructure
Recently, several developments have been proposed or announced to help identify and mitigate cyber risk for United States critical infrastructure operators and software in an effort to further bolster the cybersecurity posture of the federal government. (more…)
U.S. Treasury Department Seeks Public Comment On Potential Federal Cyber Insurance Program
The U.S. Treasury Department is seeking public comment on the need and scope for a potential federal insurance response to catastrophic cyber incidents, akin to the one put in place for terrorism insurance after the attacks of September 11, 2001.