China Data Law Update: Certification Rules and Draft Standard Contract Are Issued
As the year approaches its halfway point, Chinese government accelerates the legislation for cross-border data transfers. (more…)
Newly Proposed SEC Cybersecurity Risk Management and Governance Rules and Amendments for Public Companies
On March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new cybersecurity rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The text of the proposed rules is available here. The SEC proposal would continue to ratchet up cybersecurity as an increasingly critical dimension of corporate governance.
Key takeaways from the SEC’s release include the following: (more…)
California Privacy Agency: CPRA Regs Not Likely Until Late 2022
Final regulations implementing the California Privacy Rights Act (CPRA) may not be issued until Q3 or Q4 2022, as reported by Executive Director Soltani of the California Privacy Protection Agency (“CalPPA”) at its February 17th Board meeting. This means that businesses subject to CPRA will not have regulatory guidance on how to implement the CPRA until just months, or possibly weeks, before the law goes into effect on January 1, 2023, assuming the regulations are finalized before the effective date. This is a significant departure from the CPRA’s stated timeline of July 1, 2022 for the adoption of final regulations. While enforcement under CPRA cannot begin until July 1, 2023, and at that time enforcement can only address violations alleged to have occurred on or after that date, businesses are not well-served by the prospect of implementing the significant regulations required by the CPRA in half the statutorily allotted time. (more…)
Fireside Chat: Earning Public Trust Amid Heightened Tech Regulation
On October 19, 2021, Sidley partner Alan Raul engaged in a fireside chat with Julie Brill, Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel of Microsoft at the Reuters Events’ Legal Leaders 2021 Conference. (more…)
Changes to FTC Rulemaking Procedures Herald More Aggressive Action on Consumer Privacy
On July 22, 2021, the Federal Trade Commission finalized important changes to its procedures for rulemaking under Section 18 of the FTC Act. Section 18 authorizes the Commission to make regulations, termed “Trade Regulation Rules,” (or “Magnuson-Moss Rules” after their authorizing statute), which “define with specificity” conduct that violates the FTC Act’s ban on “unfair or deceptive” business practices. Section 18 rules are promulgated through a “hybrid rulemaking” process that includes, if an interested party requests it, an “informal hearing” with limited opportunities for oral presentation and cross-examination by representatives of stakeholder groups. (more…)
Rohit Chopra Confirmed as CFPB Director; Historically Active Enforcement and Regulatory Regime Begins
On September 30, the U.S. Senate confirmed Commissioner Rohit Chopra of the Federal Trade Commission as the new Director of the Consumer Financial Protection Bureau (CFPB). Director Chopra is expected to usher in a regime of dramatically increased enforcement and creative, expansive regulation. Many financial institutions will have questions and concerns about the CFPB, how it will affect their businesses and operations, and how to productively engage with this exceptionally powerful and opaque regulator. It is now more important than ever to closely follow the work of the CFPB as new leadership seeks to aggressively employ all of the agency’s tools in service of the American consumer. (more…)
FFIEC Guidance on Authentication and Access to Financial Institution Services and Systems
On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.
NHS’ Plans to Share Patient Records with Third Parties
NHS Digital (the national custodian for health and care data in England) in May 2021, announced a new data sharing initiative called the General Practice Data for Planning and Research (GPDPR) service. The launch of the GPDPR could result in the historical medical records of up to 55 million patients in England being shared with third parties.
Although the GP data collection was set to take place as of July 1, 2021, on June 8, 2021 it was announced that the launch will be postponed to September 1, 2021.
SCCs, Adequacy, and Guidance: Latest Updates on International Data Transfers
The next few weeks will likely be very busy for companies on the GDPR international data transfer front as there have been a number of key European developments over the last few days including: (more…)