FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.

(more…)

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.

(more…)

Preparing Your 2022 Form 10-K: A Summary of Recent Key Disclosure Developments, Priorities, and Trends

This Sidley Update highlights certain key disclosure considerations for preparing your annual report on Form 10-K for fiscal year 2022, including recent amendments to U.S. Securities and Exchange Commission (SEC) disclosure rules and other developments that impact 2022 Form 10-K filings, as well as certain significant disclosure trends and current areas of SEC focus for disclosures. As always, we invite you to contact us with any questions on these topics or any other SEC reporting and compliance matters.

(more…)

Broker-Dealers and Investment Advisers Should Double-Check Their “Identity Theft” Programs: SEC Division of Examinations Issues Risk Alert on SEC’s Identity Theft Red Flags Rule, Regulation S-ID

On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers.  Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically.  The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program.  As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.

(more…)

Drizly FTC Order Introduces Significant Minimization, Deletion and Retention Requirements

On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.

(more…)

HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA

Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months.  However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear.  Now, the Department of Health and Human Services is seeking to provide clarity. (more…)

U.S.-EU Data Transfer Framework Signals Strengthened Collaboration

*This article first appeared on Law360 on October 14, 2022

A series of coordinated announcements on Oct. 7 lifted the veil on a new trans-Atlantic data transfer mechanism.

This announcement has been hotly anticipated since a joint declaration from the U.S. and European Union governments on March 25, that there was an agreement in principle for a new EU-U.S. Data Privacy Framework.

The key document in the framework process is Executive Order No. 14086 on enhancing safeguards for U.S. signals intelligence activities, accompanied by a detailed fact sheet on the executive order.

(more…)

Uber Data Breach Results in Corporate Cooperation and Executive Conviction

On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.

(more…)

The FTC’s COPPA Conundrum: Ambiguities in the Rule and a Death of Authoritative Guidance Leave the Agency Vulnerable to Legal Challenges

This article was originally published by the ABA’s ANTITRUST magazine in its Summer 2022 issue.

The Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s COPPA-enforcing rule have increasing relevance for all businesses that interact directly with consumers online—including companies that do not regard themselves as marketing directly to children. Both the FTC and state Attorneys General are active in enforcing COPPA, and companies can often be caught off guard by government inquiries scrutinizing their compliance. (more…)

Sean Royall

Dallas, Washington, D.C.

sroyall@sidley.com

Meru Data Podcast Features Sidley Associate Lauren Kitces

Sidley associate Lauren Kitces was featured on Simplify For Success, a podcast series presented by Meru Data and hosted by Priya Keshav. Lauren discussed FTC’s proposed rulemaking regarding data privacy and data security, and shared her thoughts on how to prepare for the FTC enforcement.