UK Consults on Algorithmic Processing

Algorithms touch upon multiple aspects of digital life, and their use potentially falls within several separate – though converging – regulatory systems. More than ever, a ‘joined up’ approach is required to assess them, and the UK’s main regulators are working together to try to formulate a coherent policy, setting an interesting example that could be a template for global approaches to digital regulation. (more…)

Blockchain Tracing: The U.S. Government’s Newest Tool to Combat Foreign Crime

On May 13, 2022, U.S. Magistrate Judge Zia M. Faruqui of the District of Columbia took the unusual step of unsealing and issuing a Memorandum Opinion captioned “In Re: Criminal Complaint” to explain the court’s conclusion that probable cause existed to authorize a federal criminal complaint against an individual for transmitting over $10 million worth of bitcoin between the United States and an Office of Foreign Assets Control–sanctioned nation, violating the International Emergency Economic Powers Act (IEEPA) and defrauding the United States, in violation of 18 U.S.C. § 371.

(more…)

SEC Announces 2022 Examination Priorities: Private Funds, ESG, Retail, Cyber, Digital Assets Top the List

On March 30, 2022, the U.S. Securities and Exchange Commission (SEC) Division of Enforcement (EXAMS or Division) issued its annual examination priorities.1 Consistent with its recent rulemaking activity, in its accompanying release, the SEC highlighted private funds; Environmental, Social and Governance (ESG) investing; retail; cyber; and digital assets as key examination priorities. This article provides a concise summary of upcoming examination priorities and perennial issues registrants can anticipate in the following year’s examinations.

(more…)

California AG’s First Formal CCPA Opinion Directs Businesses to Disclose Internally-Generated Inferences and Expresses Skepticism Around Trade Secret Claims

In its first formal opinion interpreting the California Consumer Privacy Act (the “Opinion”), the California Attorney General (OAG) has expansively interpreted CCPA to mean that inferences created internally by a business, including those based on data that is not included in the definition of personal information, constitute “specific pieces” of personal information “collected by a business” which must be produced to consumers upon request.  The Opinion, which was issued on March 10, 2022 in response to a request for clarification submitted by Assemblyman Kevin Kiley, also addressed arguments that such inferences could constitute trade secrets and signaled the OAG’s unwillingness to accept “blanket assertions” that inferences constitute trade secrets or proprietary information, requiring instead that businesses explain why an inference constitutes a trade secret with greater particularity.  We highlight below some of the more instructive elements of the opinion that provide insight into potential future enforcement. (more…)

Digital Health Compliance Considerations — Revenue Models and Patient Incentives

Digital Health Compliance Considerations — Revenue Models and Patient Incentives

The digital health market continues to grow exponentially in the United States. As startups and established companies market digital tools and technology to improve health outcomes and reduce costs, a key issue is whether the revenue model and any incentives used to drive patient behavior comply with federal healthcare laws that prohibit kickbacks to providers and patients. A recent government opinion issued to a digital behavioral health company approves a revenue and patient incentive model under key federal healthcare fraud and abuse laws and serves as a possible starting point for development of a sustainable revenue model that can be scaled as the business grows. (more…)

DOJ’s First “Cyber-Fraud” Settlement Targets Healthcare Provider

Yesterday DOJ announced its first settlement under the Department’s new “Cyber-Fraud Initiative.”  This initiative, announced in October 2021, aims to “utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.”  However, as discussed further here, in addition to targeting traditional government contractors, the initiative presents broader opportunities for DOJ to use the FCA to address data protection practices by healthcare providers.

The healthcare industry is consistently the recipient of disproportionate oversight under the FCA, and thus it is perhaps no surprise that DOJ’s first settlement under the Cyber-Fraud Initiative was with a healthcare provider.  As announced here, a healthcare provider furnishing medical services on air force bases paid $930,000 to resolve allegations that it “violated the False Claims Act by falsely representing to the State Department and the Air Force that it complied with contract requirements relating to the provision of medical services.”  The settlement also resolved allegations relating to controlled substances. (more…)

Data Protection in Financial Services Week 2022

WEBINAR

From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:

  • How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
  • How new and existing privacy and cyber requirements intersect with finance-specific regulation
  • What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
  • How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers

(more…)

Trying to Tackle Big Data: European Union Launches Draft Data Act

On 23 February 2022, the European Commission (Commission) proposed a draft of a regulation on harmonised rules on fair access to and use of data – also known as the Data Act. The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.

If adopted in its current form, the new rules will impose far-reaching obligations on tech companies (such as manufacturers of connected products and cloud service providers) and give national authorities new enforcement powers to sanction infringements with fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher. (more…)

SEC Chair: Sweeping New Cybersecurity Rules Are Coming Soon

On Monday, January 24, 2022, in a speech at the Northwestern University Pritzker School of Law annual Securities Regulation Institute conference, Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), announced that he has asked SEC staff to provide sweeping rulemaking recommendations to modernize and expand the agency’s rules relating to cybersecurity.1 Stressing that cybersecurity is a matter of national security, Chair Gensler signaled that new guidance or proposed rules would enhance or expand public company cybersecurity programs and risk disclosures; cybersecurity program requirements and breach notification obligations for SEC regulated entities under Reg S-P; and the scope of registrants covered under Regulation Systems Compliance and Integrity (Reg SCI). He also signaled the SEC’s continued focus on enforcement and cooperation with other law enforcement agencies.2 (more…)

SEC Encourages Self-Reporting of Recordkeeping Violations Resulting From Employees’ Use of Personal Devices for Business Communications

On December 17, 2021, the U.S. Securities and Exchange Commission (SEC) announced settled charges against a broker-dealer firm for recordkeeping violations arising from its employees’ use of personal devices for business communications. The firm agreed to pay a $125 million penalty and to retain a compliance consultant to conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices. In announcing this enforcement action, the SEC encouraged registrants to self-report similar failures to the SEC. (more…)