Categories
Archives
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
Data Matters
Cybersecurity, Privacy, Data Protection, Artificial Intelligence, Internet Law, and Policy
Big California Privacy News: Legislative and Enforcement Updates
Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country. For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources. The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law. (more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Amy P. Lally
Century City
alally@sidley.com
‘Cyclops Blink’ Shows Why the SEC’s Proposed Cybersecurity Disclosure Rule Could Undermine the Nation’s Cybersecurity
**This article originally appeared on Lawfare
As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.
View Article
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Alan Charles Raul
Washington, D.C., New York
Stephen W. McInerney
Chicago
smcinerney@sidley.com
FTC ANPR Explores Wide Ranging Topics for Privacy and Cybersecurity Rulemaking
On Thursday, August 11, the Federal Trade Commission (“FTC”) announced that it is exploring rules to crack down on harmful commercial surveillance and lax data security practices. The FTC’s Advance Notice of Proposed Rulemaking (“ANPR”) solicits public comment on whether it should put into effect new rules and restrictions concerning standards and requirements for information security, the ways in which companies collect and process data in commercial contexts, and whether any practices related to the transfer, sharing, selling, or other monetization of personal information should be categorized as unfair or deceptive. The FTC voted 3-2 to publish the notice, with Chair Khan and Commissioners Slaughter and Bedoya voting in favor and issuing separate statements. Commissioners Phillips and Wilson voted against publication and also issued separate dissenting statements. The following Monday, Commissioner Phillips announced he would be leaving the FTC this fall.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Lauren Kitces
Washington, D.C.
lkitces@sidley.com
Off to the Races: Comment Period for CPRA Proposed Regulations Begins
On Friday, July 8th, the California Privacy Protection Agency (CalPPA) began the formal rulemaking process to adopt proposed regulations to implement California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). The initial written comment period will end on August 23, 2022 at 5:00 pm Pacific Time. To cap off the initial comment period, CalPPA will hold a public hearing on August 24th and 25th, during which the agency will accept oral comments and then close the first comment period.
The rulemaking process will take some time. Indeed, it is possible this initial rulemaking round will not be complete until after Thanksgiving. Revisions to the first draft are expected through likely multiple notice and comment rounds, in addition to deliberations by the CalPPA Board in noticed public meetings. Moreover, once the agency process is complete, the Office of Administrative Law (OAL) will review the proposed regulations to ensure they are consistent with the statute.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
SEC Encourages Self-Reporting of Recordkeeping Violations Resulting From Employees’ Use of Personal Devices for Business Communications
On December 17, 2021, the U.S. Securities and Exchange Commission (SEC) announced settled charges against a broker-dealer firm for recordkeeping violations arising from its employees’ use of personal devices for business communications. The firm agreed to pay a $125 million penalty and to retain a compliance consultant to conduct a comprehensive review of its policies and procedures relating to the retention of electronic communications found on personal devices. In announcing this enforcement action, the SEC encouraged registrants to self-report similar failures to the SEC. (more…)
Lara C. Thyagarajan
New York
lthyagarajan@sidley.com
Ranah Esmaili
Washington, D.C.
resmaili@sidley.com
Stephen L. Cohen
Washington, D.C., Boston, ...
scohen@sidley.com
Barry W. Rashkover
Corin R. Swift
New York
corin.swift@sidley.com
5 Global Data Protection Trends To Watch In 2022
*This article was first published by Law360 on January 3, 2022.
A recent discussion with Elizabeth Denham and Claudia Berg of the U.K. Information Commissioner’s Office provided ample food for thought on the direction in which data protection regulation both in the U.K. and internationally is headed, including key trends to watch for in data protection.
View article.
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
FTC Announces it May Pursue Rulemaking to Combat Discrimination in AI
On December 10, the Federal Trade Commission (FTC) announced it is considering a rulemaking on commercial Artificial Intelligence (AI). The purpose of the rulemaking, according to an advanced notice of proposed rulemaking (ANPRM) titled “Trade Regulation in Commercial Surveillance,” would be “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”
While not formally part of the rulemaking process mandated by the Administrative Procedure Act, advanced notices allow agencies to solicit public comment before drafting more specific proposals. The FTC has not yet issued privacy or artificial intelligence rules, though it has indicated that such rulemaking is on the horizon. The December 10 ANPRM is another signal that the FTC is gearing up to develop substantive privacy guidelines. (more…)
Alexandra T. Mushka
Washington, D.C.
amushka@sidley.com
Clayton G. Northouse
Lauren Kitces
Washington, D.C.
lkitces@sidley.com
SEC Announces Long-Awaited Updates to Broker-Dealer Recordkeeping Requirements
In a much anticipated (and, to many, long overdue) release published in mid-November, the U.S. Securities and Exchange Commission (SEC) proposed to update its decades-old recordkeeping requirements for broker-dealers to, among other things, allow for electronic records to be retained in a manner other than “exclusively in a non-rewriteable, non-erasable format” (aka write once, read many, or WORM). The proposal would allow electronic records to be retained, as an alternative to WORM, using an audit-trail methodology.
(more…)
Katie Klaben
Washington, D.C.
kklaben@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
W. Hardy Callcott
San Francisco
wcallcott@sidley.com
Michael D. Wolk
Paul M. Tyrrell
Boston
ptyrrell@sidley.com
Upcoming Events
Resources
Meet the Team
Kwaku A. Akowuah
kakowuah@sidley.com
Sheila A.G. Armbrust
sarmbrust@sidley.com
Francesca Blythe
fblythe@sidley.com
Colleen Theresa Brown
ctbrown@sidley.com
Thomas D. Cunningham
tcunningham@sidley.com
Sharon R. Flanagan
sflanagan@sidley.com
David A. Gordon
dgordon@sidley.com
Tomoki Ishiara
tishiara@sidley.com
Amy P. Lally
alally@sidley.com
David C. Lashway
dlashway@sidley.com
William RM Long
wlong@sidley.com
Joan M. Loughnane
jloughnane@sidley.com
Geeta Malhotra
gmalhotra@sidley.com
Rollin A. Ransom
rransom@sidley.com
Alan Charles Raul
araul@sidley.com
Jennifer B. Seale
jseale@sidley.com
Yuet Ming Tham
ytham@sidley.com
Jonathan M. Wilan
jwilan@sidley.com
John W. Woods Jr.
jwoods@sidley.com