Sidley Adds Partners Seale and Wilan to Growing Cybersecurity Practice

WASHINGTON, D.C. –Sidley announced today that Jennifer Seale and Jonathan Wilan have joined as partners in the firm’s Privacy and Cybersecurity practice in Washington, D.C. Ms. Seale and Mr. Wilan join Sidley from Baker McKenzie where they played key roles in the Global Cybersecurity practice. (more…)

SEC Requests Comment on Regulation of Information Providers Under the U.S. Investment Advisers Act

On June 15, 2022, the U.S. Securities and Exchange Commission (Commission) issued a request for comment with respect to whether certain index, model, pricing, and other information providers should be regulated as investment advisers under the Investment Advisers Act of 1940. The Commission suggests fresh consideration is needed in light of changes in technology and market practices in the decades since these topics were last given significant attention — especially given the continuing expansion of index-based investment strategies. Responses to the request for comment are due the later of August 16, 2022, or 30 days after publication of the release in the Federal Register. (more…)

Blockchain Tracing: The U.S. Government’s Newest Tool to Combat Foreign Crime

On May 13, 2022, U.S. Magistrate Judge Zia M. Faruqui of the District of Columbia took the unusual step of unsealing and issuing a Memorandum Opinion captioned “In Re: Criminal Complaint” to explain the court’s conclusion that probable cause existed to authorize a federal criminal complaint against an individual for transmitting over $10 million worth of bitcoin between the United States and an Office of Foreign Assets Control–sanctioned nation, violating the International Emergency Economic Powers Act (IEEPA) and defrauding the United States, in violation of 18 U.S.C. § 371.

(more…)

Nation-State-Sponsored Attacks: Not Your Grandfather’s Cyber Attacks

*Reprinted with permission from the May 6, 2022 edition of the New York Law Journal © 2022 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or reprints@alm.com.

It used to be that data breaches were all about cyber-crooks hacking computer systems to steal personal information, followed by an affected company sending regretful notification letters offering a year or two of complimentary credit monitoring. Not anymore. (more…)

Digital Health Industry Take Note: New HIPAA Comment Opportunity and Guidance Addresses Growing Risk of Cybersecurity Attacks

Digital health companies should take note of new data privacy and security developments under the Health Insurance Portability and Accountability Act (HIPAA) that can affect product planning and customer negotiations.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released a request for information (RFI) seeking input on (1) how covered entities implement recognized security practices, which OCR considers in enforcement matters and (2) the different types of harm that individuals experience from HIPAA violations in order to consider how OCR may share enforcement recoveries with individuals harmed. Digital health companies subject to HIPAA should consider submitting comments by the June deadline to ensure that the evolving digital health industry has a voice in establishing industry best practices and advocating for continued flexibility in the implementation of security standards that suit their unique business needs distinct from traditional covered entities and business associates. (more…)

CISA: “We don’t stab the wounded.”

Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). (more…)

Joyce Yeager

Knowledge Management Lawyer

jyeager@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Privacy by Design and Data Minimisation

*This article was first published by Global Data Review in March 2022.

“Privacy by design” refers to the practice of integrating and embedding privacy and data protection into the development and implementation of information technology systems, business practices and policies, and products and applications. (more…)

CISA Publishes a List of Key Elements to Share in Incident Reports

Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity. (more…)

Understanding China’s Data Regulatory Regime: What Are Important Data? And Can They Be Transferred Outside Of China?

The concept of “important data” is a cornerstone of China’s data regulatory regime. The Cyber Security Law (2017) (the CSL) prohibits operators of critical information infrastructures (CIIs) from transferring their “important data” and personal information outside of China. The Data Security Law (2021) (the DSL) and some recent draft regulations indicate that the prohibition on exports of “important data” is likely to apply to all companies, whether CII operators or not.

Then, what are “important data”? (more…)

SEC Announces 2022 Examination Priorities: Private Funds, ESG, Retail, Cyber, Digital Assets Top the List

On March 30, 2022, the U.S. Securities and Exchange Commission (SEC) Division of Enforcement (EXAMS or Division) issued its annual examination priorities.1 Consistent with its recent rulemaking activity, in its accompanying release, the SEC highlighted private funds; Environmental, Social and Governance (ESG) investing; retail; cyber; and digital assets as key examination priorities. This article provides a concise summary of upcoming examination priorities and perennial issues registrants can anticipate in the following year’s examinations.

(more…)