On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
Few would describe 2017 as a quiet year. But it actually was a period of relative calm with respect to at least one important topic. After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year. The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. (more…)
On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 National Exam Program Examination Priorities (2018 Exam Priorities) and, once again, identified cybersecurity as one of its main areas of focus. According to OCIE, each of its examination programs will prioritize cybersecurity. The 2018 Exam Priorities include five main focus areas: (1) cybersecurity; (2) compliance and risks in critical market infrastructure; (3) matters of importance to retail investors, including seniors and those saving for retirement; (4) oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB); and (5) anti-money laundering programs. For an in-depth discussion regarding the entirety of the 2018 Exam Priorities, see Sidley’s previous analysis here. (more…)
On February 7, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the Commission) released its annual National Exam Program Examination Priorities (Exam Priorities).1 As has been widely reported, the Exam Priorities’ general focus areas include:
- retail investors
- compliance and risks in critical market infrastructure
- oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB)
- anti-money laundering (AML) programs
The majority of these Exam Priorities are not surprising because they reflect the Commission’s continued focus on retail investors, conflicts of interest, fee disclosure, cybersecurity, cryptocurrency and AML programs.2 The Exam Priorities can serve as a roadmap for firms to assess their policies, procedures and compliance programs, and to prepare for OCIE exams. This post outlines and elaborates on each of the Exam Priorities. (more…)
Companies that are subject to New York’s Cybersecurity Regulation are moving quickly to finalize their compliance obligations under the Cybersecurity Regulation, as the second “due date” quickly approaches – February 15, 2018. By August 28, 2017, Covered Entities were required to have a cybersecurity program in place, as well as a board (or senior officer) approved written cybersecurity policy and Chief Information Security Officer to help protect data and systems. They also became obligated to report cybersecurity events to the NYDFS. (more…)
Following months of intense debate, an attempted filibuster, and close votes in both the House and Senate, Congress last week finally extended Section 702 of the Foreign Intelligence Surveillance Act (FISA).
On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
With the rise in drone usage for both commercial and recreational activities, air safety regulators around the world have increasingly focused on the impact of drones (otherwise known as unmanned aircraft systems or UAS) on flight safety and efficiency. Consistent with calls by the International Air Transport Association (IATA) for more oversight, Hong Kong’s Civil Aviation Department (CAD) recently announced plans to step up the regulation of commercial and recreational drones.
The fourth edition of The Privacy, Data Protection and Cybersecurity Law Review takes a look at the evolving global privacy, data protection and cybersecurity landscape in a time when mega breaches are becoming more common and businesses are coming under increased scrutiny from regulators, Boards of Directors and their customers. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the links below for a closer look at this developing area of law. (more…)