**This article originally appeared on Lawfare
As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.
On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices. The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive. The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements. Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements. The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.
On Friday, July 8th, the California Privacy Protection Agency (CalPPA) began the formal rulemaking process to adopt proposed regulations to implement California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). The initial written comment period will end on August 23, 2022 at 5:00 pm Pacific Time. To cap off the initial comment period, CalPPA will hold a public hearing on August 24th and 25th, during which the agency will accept oral comments and then close the first comment period.
The rulemaking process will take some time. Indeed, it is possible this initial rulemaking round will not be complete until after Thanksgiving. Revisions to the first draft are expected through likely multiple notice and comment rounds, in addition to deliberations by the CalPPA Board in noticed public meetings. Moreover, once the agency process is complete, the Office of Administrative Law (OAL) will review the proposed regulations to ensure they are consistent with the statute.
Join Sidley and OneTrust DataGuidance for Part two of the “Data Regulation Ramps Up in Europe” webinar series, where our panel will discuss legislative proposals, including the Artificial Intelligence Act, the Data Act, and the Data Governance Act (DGA). (more…)
Changes to uniform U.S. state law commercial law rules for transactions in digital assets, including cryptocurrencies, tokens, electronic notes, and electronic chattel paper, are being finalized this summer and may be adopted in state legislatures as early as this fall. When adopted, these rules will create a uniform playing field with more certainty for transactions in digital assets — but can also hold some surprises for those not prepared. Everyone with an interest in digital assets — exchanges, custodians, holders, issuers, and lenders — should stop now to consider how these new rules will apply to their businesses and whether changes in their practices and contracts are warranted. They should also consider whether the new laws create new opportunities. Learn how the new rules apply to you and your business. (more…)
As the year approaches its halfway point, Chinese government accelerates the legislation for cross-border data transfers. (more…)
Last week, the UK Competition and Markets Authority (CMA) hosted its inaugural Data, Technology, and Analytics (DaTA) Conference.
The CMA DaTa Conference has been hailed as a milestone as it convened for the first time regulators, data scientists, engineers, tech companies, and academics to discuss evolving challenges in digital markets. The conference coincided with London Tech Week, during which Chris Philp, UK Minister for Tech and the Digital Economy, unveiled a new UK Digital Strategy: the UK government’s vision for regulating digital markets, involving a monitoring framework and outcomes-focused regulation. The government has opened a public consultation, and stakeholders have until September 5, 2022, to offer their views on the proposed approach.
Against this background, here is our selection of the top five trends that stood out over the course of the CMA DaTa Conference. (more…)
On June 15, 2022, the U.S. Securities and Exchange Commission (Commission) issued a request for comment with respect to whether certain index, model, pricing, and other information providers should be regulated as investment advisers under the Investment Advisers Act of 1940. The Commission suggests fresh consideration is needed in light of changes in technology and market practices in the decades since these topics were last given significant attention — especially given the continuing expansion of index-based investment strategies. Responses to the request for comment are due the later of August 16, 2022, or 30 days after publication of the release in the Federal Register. (more…)
Kentucky and Maryland recently continued the trend of state insurance departments adopting some version of the National Association of Insurance Commissioners’ (“NAIC”) Insurance Data Security Model Law. Kentucky Governor Andy Beshear signed House Bill 474 into law, and Maryland Governor Larry Hogan signed SB 207. (more…)
Connecticut has passed a new state data privacy law slated to go into effect on July 1, 2023. The law largely tracks other new state data privacy laws recently passed in Virginia and Colorado, but also includes several provisions that could impact compliance plans, including a new obligation to provide a mechanism for consumers to revoke their consent to the processing of their data. (more…)