Understanding China’s Data Regulatory Regime: What Are Important Data? And Can They Be Transferred Outside Of China?
The concept of “important data” is a cornerstone of China’s data regulatory regime. The Cyber Security Law (2017) (the CSL) prohibits operators of critical information infrastructures (CIIs) from transferring their “important data” and personal information outside of China. The Data Security Law (2021) (the DSL) and some recent draft regulations indicate that the prohibition on exports of “important data” is likely to apply to all companies, whether CII operators or not.
Then, what are “important data”? (more…)
SEC Announces 2022 Examination Priorities: Private Funds, ESG, Retail, Cyber, Digital Assets Top the List
On March 30, 2022, the U.S. Securities and Exchange Commission (SEC) Division of Enforcement (EXAMS or Division) issued its annual examination priorities.1 Consistent with its recent rulemaking activity, in its accompanying release, the SEC highlighted private funds; Environmental, Social and Governance (ESG) investing; retail; cyber; and digital assets as key examination priorities. This article provides a concise summary of upcoming examination priorities and perennial issues registrants can anticipate in the following year’s examinations.
White House Urgent Warning: Act Now to Protect Against Potential Russian Cyberattacks
On March 21, 2022, the White House issued a dramatic warning based on “evolving intelligence” about the potential for Russia to threaten America with cyber attacks in response to U.S.-imposed economic sanctions. In a separate statement, President Biden said that “the Russian Government is exploring options for potential cyberattacks.” He urged the private sector, especially those that operate critical infrastructure, to “harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” According to Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, Russia has been conducting “preparatory activities”, which she said could include scanning of websites and hunting for software vulnerabilities.
In addition to CISA’s Shields-Up campaign, which we covered in a previous blog post, the White House’s March 21 Fact Sheet stresses the urgency of key cyber hygiene steps including recommendations to: (more…)
Congress Passes Cyber Incident Reporting for Critical Infrastructure Act of 2022
The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule. (more…)
Executive Order on Ensuring Responsible Innovation in Digital Assets
On March 9, 2022, President Joe Biden signed an executive order (EO) to engage several federal agencies in a comprehensive review of the federal government’s approach to cryptocurrencies and digital assets. The broad scope of the EO outlines a unified, “whole-of government” approach to developing policy for digital assets across five key priorities: (1) potential introduction of a United States Central Bank Digital Currency (CBDC); (2) consumer, investor, and business protection; (3) financial stability and systemic risk; (4) illicit finance and national security; and (5) U.S. leadership in the global financial system and economic competitiveness. The EO also focuses on the impact that blockchain technology and digital assets can have on financial inclusion and human rights (including the unbanked and underbanked) as well as on climate change and environmental pollution (including energy usage from mining and grid management). (more…)
Newly Proposed SEC Cybersecurity Risk Management and Governance Rules and Amendments for Public Companies
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.
Key takeaways from the SEC’s release include the following: (more…)
DOJ’s First “Cyber-Fraud” Settlement Targets Healthcare Provider
Yesterday DOJ announced its first settlement under the Department’s new “Cyber-Fraud Initiative.” This initiative, announced in October 2021, aims to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.” However, in addition to targeting traditional government contractors, the initiative presents broader opportunities for DOJ to use the FCA to address data protection practices by healthcare providers.
The healthcare industry is consistently the recipient of disproportionate oversight under the FCA, and thus it is perhaps no surprise that DOJ’s first settlement under the Cyber-Fraud Initiative was with a healthcare provider. As announced here, a healthcare provider furnishing medical services on air force bases paid $930,000 to resolve allegations that it “violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services.” The settlement also resolved allegations relating to controlled substances. (more…)
Data Protection in Financial Services Week 2022
WEBINAR
From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:
- How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
- How new and existing privacy and cyber requirements intersect with finance-specific regulation
- What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
- How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers
U.S. Government Issues Warning of Threat Against U.S. Critical Infrastructure
On February 25, 2022, in light of Russia’s attack on Ukraine, and months of continuing Russian state-sponsored cyberattacks on Ukrainian government and critical infrastructure organizations, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning to American critical infrastructure organizations and businesses, stating that “[e]very organization—large and small—must be prepared to respond to disruptive cyber activity.” While the guidance states that there are no specific, credible cyber threats directed at the United States, it notes that Russian threat actors have been orchestrating denial of service and destructive malware attacks affecting Ukraine and its neighboring countries, and that such activities may spread to the United States and its NATO allies in what is a rapidly evolving scenario. (more…)