SEC Continues Focus on Cybersecurity Disclosure Failures, Announces Settled Charges Against Pearson plc

Through its announcement of settled charges against Pearson plc (Pearson) on August 16, 2021, the U.S. Securities and Exchange Commission signaled its continued, high level scrutiny of companies’ public statements related to data security incidents.1 Without admitting or denying the SEC’s findings, Pearson agreed to a cease and desist order (Order) and to pay a $1 million penalty.2 The SEC’s Pearson Order follows its June 2021 announcement that it had settled charges against First American Title Insurance Company (First American) for cybersecurity disclosure control failures.3 Together, the Pearson and First American actions underscore the SEC’s increasingly vigorous enforcement efforts on disclosure control violations related to cybersecurity issues, in particular vulnerabilities that expose sensitive customer information and data breaches. (more…)

Enhanced Focus on Digital Asset Intermediaries by SEC, Congress, and State Securities Regulators

Given the substantial growth in digital asset investments this year, intermediaries offering trading and lending services are now the target of regulatory and enforcement focus that we expect will continue in the coming months and years. Recent examples of this increased scrutiny of digital asset service providers and intermediaries include

  • Securities and Exchange Commission (SEC) Chair Gary Gensler’s keynote for the American Bar Association Derivatives and Futures Committee, which touched on the regulation of cryptocurrencies, including statements that decentralized finance (DeFi) are implicated by securities laws
  • the letter from Sen. Elizabeth Warren, D-Mass., to Chair Gensler requesting further information about the SEC’s authority to regulate cryptocurrency exchanges
  • recent actions by state securities regulators against the financial services platform BlockFi related to a digital asset lending program alleging that these products are unregistered securities offerings
  • the SEC settlement with Coinschedule, which operated a token-offering website and failed to disclose the compensation it received from token issuers in violation of antitouting provisions

(more…)

European Commission Adopts UK Adequacy Decisions Allowing Personal Data to Freely Flow from the EU to the UK

On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.

(more…)

European Data Protection Board Issues Final Schrems II Recommendations

The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.

The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:

  • better align with the new SCCs recently adopted by the European Commission; and
  • allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.

Our previous blog post on the draft EDPB’s Schrems II recommendationsv provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.

(more…)

SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned

On June 15, 2021, the SEC announced settled charges against First American Title Insurance Company (First American) for disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.1  Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and to pay a $487,616 penalty (Order). This resolution highlights the SEC’s continued focus on cybersecurity. The SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021.2

(more…)

SCCs, Adequacy, and Guidance: Latest Updates on International Data Transfers

The next few weeks will likely be very busy for companies on the GDPR international data transfer front as there have been a number of key European developments over the last few days including: (more…)

Transferring EU Data To US After New Contractual Safeguards – A Proposal to Notify Intelligence Agencies of “US Person” Prohibition on Targeting SCC Transfers

This article was first published by Law360 on May 17, 2021.

In light of new standard contractual clauses, or SCCs, to be issued shortly by the European Commission, as well as imminent new guidance from the European Data Protection Board, companies transferring personal data to the U.S. should consider taking steps to help ensure their data transfers are recognized as U.S. person communications.

This article sets forth possible text that companies could adopt as a supplemental measure to inform U.S. intelligence agencies that data transfers under SCCs are prohibited from being targeted.

View Article

 

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Sidley Welcomes Former-CFPB Enforcement Director Tom Ward

Sidley is pleased to announce that Thomas Ward, who previously served as Enforcement Director at the Consumer Financial Protection Bureau (CFPB), has joined the firm as a partner in the Banking and Financial Services Group in Washington, D.C. As the CFPB’s chief law enforcement officer, Tom was responsible for enforcing more than 20 enumerated consumer financial statutes and the Consumer Financial Protection Act. He established and supervised the strategy in hundreds of active investigations and cases prosecuted by the CFPB’s Office of Enforcement and managed the agency’s 165 enforcement trial lawyers, investigators, and staff. Under his leadership, in 2020, the CFPB brought the second highest number of enforcement actions since its inception, secured its fourth highest amount of redress, prosecuted its largest and most complex litigation docket, and recommitted to enforcing the Fair Lending laws, including filing the first contested Fair Lending action in the CFPB’s history.

(more…)

Developments in Cookie Regulation: French CNIL Declares Intent to Audit Websites for Cookie Compliance

On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.

(more…)

New Guidance on the Revised Swiss Data Protection Act Published by the Swiss Regulator

On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA).  The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.

(more…)