Executive Order on Ensuring Responsible Innovation in Digital Assets

On March 9, 2022, President Joe Biden signed an executive order (EO) to engage several federal agencies in a comprehensive review of the federal government’s approach to cryptocurrencies and digital assets. The broad scope of the EO outlines a unified, “whole-of government” approach to developing policy for digital assets across five key priorities: (1) potential introduction of a United States Central Bank Digital Currency (CBDC); (2) consumer, investor, and business protection; (3) financial stability and systemic risk; (4) illicit finance and national security; and (5) U.S. leadership in the global financial system and economic competitiveness. The EO also focuses on the impact that blockchain technology and digital assets can have on financial inclusion and human rights (including the unbanked and underbanked) as well as on climate change and environmental pollution (including energy usage from mining and grid management). (more…)

Digital Health Compliance Considerations — Revenue Models and Patient Incentives

Digital Health Compliance Considerations — Revenue Models and Patient Incentives

The digital health market continues to grow exponentially in the United States. As startups and established companies market digital tools and technology to improve health outcomes and reduce costs, a key issue is whether the revenue model and any incentives used to drive patient behavior comply with federal healthcare laws that prohibit kickbacks to providers and patients. A recent government opinion issued to a digital behavioral health company approves a revenue and patient incentive model under key federal healthcare fraud and abuse laws and serves as a possible starting point for development of a sustainable revenue model that can be scaled as the business grows. (more…)

Newly Proposed SEC Cybersecurity Risk Management and Governance Rules and Amendments for Public Companies

On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.

Key takeaways from the SEC’s release include the following: (more…)

Data Protection in Financial Services Week 2022

WEBINAR

From February 28-March 3, Sidley and OneTrust DataGuidance hosted their annual Data Protection in Financial Services (DPFS) Week, a series of webinars looking at the impacts of data privacy across the financial sector. Industry speakers covered a range of issues including:

  • How the latest privacy and cybersecurity developments in Europe and the U.S. have impacted financial services
  • How new and existing privacy and cyber requirements intersect with finance-specific regulation
  • What financial organizations can do to keep ahead of the curve in the ever-evolving data privacy and cyber landscape
  • How to deal with and manage the key issues for 2022, such as AI, data governance, and international transfers

(more…)

Trying to Tackle Big Data: European Union Launches Draft Data Act

On 23 February 2022, the European Commission (Commission) proposed a draft of a regulation on harmonised rules on fair access to and use of data – also known as the Data Act. The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”.

If adopted in its current form, the new rules will impose far-reaching obligations on tech companies (such as manufacturers of connected products and cloud service providers) and give national authorities new enforcement powers to sanction infringements with fines of up to EUR 20 million or 4% of annual global revenue, whichever is higher. (more…)

Newly Proposed SEC Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds

On February 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed comprehensive rules for registered advisers and funds. Among other things, these rules will require advisers and funds to implement written policies and procedures designed to address cybersecurity risks, report significant cybersecurity incidents to the SEC within 48 hours using a proposed form, and keep enumerated cybersecurity-related books and records. Initial reactions have been mixed, including a published dissent from Commissioner Hester Peirce. A public comment period is ongoing.

(more…)

U.S. Government Issues Warning of Threat Against U.S. Critical Infrastructure

On February 25, 2022, in light of Russia’s attack on Ukraine, and months of continuing Russian state-sponsored cyberattacks on Ukrainian government and critical infrastructure organizations, the Cybersecurity and Infrastructure Security Agency (CISA) issued a “Shields Up” warning to American critical infrastructure organizations and businesses, stating that “[e]very organization—large and small—must be prepared to respond to disruptive cyber activity.”  While the guidance states that there are no specific, credible cyber threats directed at the United States, it notes that Russian threat actors have been orchestrating denial of service and destructive malware attacks affecting Ukraine and its neighboring countries, and that such activities may spread to the United States and its NATO allies in what is a rapidly evolving scenario. (more…)

California Privacy Agency: CPRA Regs Not Likely Until Late 2022

Final regulations implementing the California Privacy Rights Act (CPRA) may not be issued until Q3 or Q4 2022, as reported by Executive Director Soltani of the California Privacy Protection Agency (“CalPPA”) at its February 17th Board meeting.  This means that businesses subject to CPRA will not have regulatory guidance on how to implement the CPRA until just months, or possibly weeks, before the law goes into effect on January 1, 2023, assuming the regulations are finalized before the effective date.  This is a significant departure from the CPRA’s stated timeline of July 1, 2022 for the adoption of final regulations.  While enforcement under CPRA cannot begin until July 1, 2023, and at that time enforcement can only address violations alleged to have occurred on or after that date, businesses are not well-served by the prospect of implementing the significant regulations required by the CPRA in half the statutorily allotted time. (more…)

Building AI and Machine Learning Technologies: Data Licensing Tips and Traps

Data is the fuel for software development, and developers use historical data from existing products to train algorithms and build AI and machine learning models. Companies are well aware of privacy and regulatory restrictions on data use, but often do not consider the potential impact of data use restrictions on intellectual property ownership and use rights. (more…)

SEC Chair: Sweeping New Cybersecurity Rules Are Coming Soon

On Monday, January 24, 2022, in a speech at the Northwestern University Pritzker School of Law annual Securities Regulation Institute conference, Gary Gensler, Chair of the U.S. Securities and Exchange Commission (SEC), announced that he has asked SEC staff to provide sweeping rulemaking recommendations to modernize and expand the agency’s rules relating to cybersecurity.1 Stressing that cybersecurity is a matter of national security, Chair Gensler signaled that new guidance or proposed rules would enhance or expand public company cybersecurity programs and risk disclosures; cybersecurity program requirements and breach notification obligations for SEC regulated entities under Reg S-P; and the scope of registrants covered under Regulation Systems Compliance and Integrity (Reg SCI). He also signaled the SEC’s continued focus on enforcement and cooperation with other law enforcement agencies.2 (more…)