U.S. Treasury Department Seeks Public Comment On Potential Federal Cyber Insurance Program

The U.S. Treasury Department is seeking public comment on the need and scope for a potential federal insurance response to catastrophic cyber incidents, akin to the one put in place for terrorism insurance after the attacks of September 11, 2001.

(more…)

Uber Data Breach Results in Corporate Cooperation and Executive Conviction

On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.

(more…)

U.S. FERC Proposes Revisions to Cybersecurity Incentives for Utilities

On September 22, 2022, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) regarding Incentives for Advanced Cybersecurity Investment, requesting comment on proposed revisions to regulations implementing the Federal Power Act (FPA). The revisions would provide incentive-based rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities for certain voluntary cybersecurity investments. The NOPR was issued in response to a Congressional mandate set forth in the Infrastructure Investment and Jobs Act of 2021, which directed FERC to establish cybersecurity incentives that would encourage investments by utilities in advanced cybersecurity technology and participation in cybersecurity threat information sharing programs. This NOPR replaces a prior cybersecurity incentives NOPR from December 2020.

(more…)

FTC Defends Expansive Privacy and Data Security ANPR at Public Forum

The FTC continues its defense of the wide-reaching Advance Notice of Proposed Rulemaking (ANPR) on “Commercial Surveillance and Data Security” that the Commission, by a 3-2 vote, issued in August. (See the supporting statements of Chair Lina Khan and Commissioners Rebecca Slaughter, and Alvaro Bedoya, and the dissenting statements of Commissioners Christine Wilson and Noah Phillips.)

On Thursday, September 8, the FTC hosted a public forum on the notice, featuring remarks by Chair Khan, Commissioner Bedoya, and panels featuring guests representing industry and consumer interests. (more…)

‘Cyclops Blink’ Shows Why the SEC’s Proposed Cybersecurity Disclosure Rule Could Undermine the Nation’s Cybersecurity

**This article originally appeared on Lawfare

As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.

View Article

FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking

On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices.  The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive.  The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements.  Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements.  The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.

(more…)

China Data Law Update: Certification Rules and Draft Standard Contract Are Issued

As the year approaches its halfway point, Chinese government accelerates the legislation for cross-border data transfers. (more…)

Sidley Adds Partners Seale and Wilan to Growing Cybersecurity Practice

WASHINGTON, D.C. –Sidley announced today that Jennifer Seale and Jonathan Wilan have joined as partners in the firm’s Privacy and Cybersecurity practice in Washington, D.C. Ms. Seale and Mr. Wilan join Sidley from Baker McKenzie where they played key roles in the Global Cybersecurity practice. (more…)

SEC Requests Comment on Regulation of Information Providers Under the U.S. Investment Advisers Act

On June 15, 2022, the U.S. Securities and Exchange Commission (Commission) issued a request for comment with respect to whether certain index, model, pricing, and other information providers should be regulated as investment advisers under the Investment Advisers Act of 1940. The Commission suggests fresh consideration is needed in light of changes in technology and market practices in the decades since these topics were last given significant attention — especially given the continuing expansion of index-based investment strategies. Responses to the request for comment are due the later of August 16, 2022, or 30 days after publication of the release in the Federal Register. (more…)

Blockchain Tracing: The U.S. Government’s Newest Tool to Combat Foreign Crime

On May 13, 2022, U.S. Magistrate Judge Zia M. Faruqui of the District of Columbia took the unusual step of unsealing and issuing a Memorandum Opinion captioned “In Re: Criminal Complaint” to explain the court’s conclusion that probable cause existed to authorize a federal criminal complaint against an individual for transmitting over $10 million worth of bitcoin between the United States and an Office of Foreign Assets Control–sanctioned nation, violating the International Emergency Economic Powers Act (IEEPA) and defrauding the United States, in violation of 18 U.S.C. § 371.

(more…)