On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”). The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them. The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2). The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).
The proposed Guidelines are open for public consultation until January 18, 2019. It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)
On November 16, the U.S. Securities and Exchange Commission (SEC) announced its first enforcement actions against issuers of initial coin offerings solely for failing to register the offerings in violation of the federal securities laws since Munchee (i.e., without allegations of fraud). Unlike the Munchee order, these settlements impose penalties against the issuers and require certain undertakings, such as registering the digital assets as securities under the Exchange Act. The same day, the SEC’s Divisions of Corporation Finance, Investment Management and Trading and Markets released a joint statement reiterating the SEC’s lessons from recent enforcement actions related to digital assets. (more…)
The Administration is preparing to release a Request for Information (“RFI”) on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) rules. The draft RFI was recently submitted by the Department of Health and Human Services (“HHS”) to the White House’s Office of Management and Budget (“OMB”) for pre-release review.
European Digital Rights (EDRi), a digital user rights non-for-profit organisation, on 25 October 2018, launched an online platform, ‘GDPR Today’. In its first edition of the GDPR Today, the EDRi published statistics collected from eight EU Member States (France, Germany, Ireland, Italy, Poland, Romania, Sweden and the United Kingdom). The statistics show that since the GDPR’s entry into force on 25 May 2018, data protection authorities (DPAs) have received thousands of complaints from EU individuals on the implementation of the GDPR by businesses and other organisations. Of note, the United Kingdom’s DPA, the UK Information Commissioner’s Office (ICO), has topped the list of complaints received, with nearly 15,000 complaints. Germany and France follow in the rankings, with 6,555 complaints and 3,767 complaints received, respectively. However, the UK figure includes complaints filed with the ICO prior to the GDPR’s effective date. (more…)
The results of Tuesday’s midterm elections were notable for several reasons, and not just in the races at the top of the ticket — there were also significant changes in the state Attorney General ranks. Forty jurisdictions (including Guam, Virgin Islands and the District of Columbia) had Attorney General candidates on their ballots, including open races in 13 jurisdictions. It was a somewhat strong showing for Democrats, who picked up open seats in Colorado (Phil Weiser), Michigan (Dana Nessel) and Nevada (Aaron Ford). In addition, Democrat Josh Kaul defeated incumbent Republican Brad Schimel in Wisconsin. Overall, there are 14 new Attorneys General. A chart at the end of this Update lists the results of all of Attorney General elections. (more…)
On November 1, 2018, following a rising tide of speculation, the Hong Kong regulator Securities and Futures Commission (SFC) announced a series of initiatives to regulate digital assets for the first time (and, apparently, without the need for any kind of legislative approval or backing). The initiatives, discussed below, take effect immediately. For purposes of the new regime, the SFC refers to “virtual assets” broadly defined to include initial coin offerings (ICOs), digital tokens (such as digital currencies, utility tokens or security or asset-backed tokens) and any other virtual commodities, cryptoassets and other assets of essentially the same nature (together “digital assets” herein as commonly understood in the industry). (more…)
Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)
A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector. Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities. The hackers, one of the reports notes, could have used such access to cause blackouts.
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.