On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner. (more…)
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2021-08-31 11:09:352023-09-07 12:41:55UK Government Publishes UK Approach to International Transfers, Including Data Adequacy
Through its announcement of settled charges against Pearson plc (Pearson) on August 16, 2021, the U.S. Securities and Exchange Commission signaled its continued, high level scrutiny of companies’ public statements related to data security incidents.1 Without admitting or denying the SEC’s findings, Pearson agreed to a cease and desist order (Order) and to pay a $1 million penalty.2 The SEC’s Pearson Order follows its June 2021 announcement that it had settled charges against First American Title Insurance Company (First American) for cybersecurity disclosure control failures.3 Together, the Pearson and First American actions underscore the SEC’s increasingly vigorous enforcement efforts on disclosure control violations related to cybersecurity issues, in particular vulnerabilities that expose sensitive customer information and data breaches. (more…)
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Alan Charles Raulhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngAlan Charles Raul2021-08-30 13:28:432023-09-07 12:42:17SEC Continues Focus on Cybersecurity Disclosure Failures, Announces Settled Charges Against Pearson plc
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2021-08-23 12:28:592023-09-07 12:42:42UK ICO Opens Consultation on Data Transfer Agreements and Guidance
On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00David E. Teitelbaumhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngDavid E. Teitelbaum2021-08-17 10:48:382023-09-07 12:43:16FFIEC Guidance on Authentication and Access to Financial Institution Services and Systems
Please join us for a panel discussion titled, “What Have We Learned About Privacy from the Pandemic, and What Does it Mean Going Forward?” at the Technology Policy Institute (TPI) 2021 Aspen Forum on Monday, August 16. In addition to the COVID-19 pandemic and its impact on data privacy, the panel will discuss privacy legislation, the Biden Administration and Federal Trade Commission (FTC), Schrems, and disruptive technologies.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Data Matters Contributorshttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngData Matters Contributors2021-08-13 11:43:242023-09-07 15:27:07Upcoming TPI Panel: What Have We Learned About Privacy from the Pandemic, and What Does it Mean Going Forward?
In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Colleen Theresa Brownhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngColleen Theresa Brown2021-08-09 17:09:532023-09-07 12:44:23Connecticut Strengthens Data Breach Notification Requirements and the Uniform Law Commission Approves and Recommends Comprehensive and Uniform State Privacy Legislation
With the U.S. Congress continuing to stymie federal omnibus privacy legislation, states have decidedly taken up the call. Most recently, on July 8, 2021, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA). With the signing of the CPA, which will largely go into effect on July 1, 2023, Colorado became the third state to enact comprehensive privacy legislation following the California Privacy Rights Act (CPRA)and the Virginia Consumer Data Protection Act (VCDPA). Other states have taken a more limited approach, most notably Nevada, which increased the scope of the right to opt out of personal data sales under its targeted privacy law.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Colleen Theresa Brownhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngColleen Theresa Brown2021-07-28 18:25:072024-05-02 16:50:58West Coast, East Coast, and Now Mountains, Too: Colorado Joins the Comprehensive State Privacy Law Club
Given the substantial growth in digital asset investments this year, intermediaries offering trading and lending services are now the target of regulatory and enforcement focus that we expect will continue in the coming months and years. Recent examples of this increased scrutiny of digital asset service providers and intermediaries include
Securities and Exchange Commission (SEC) Chair Gary Gensler’s keynote for the American Bar Association Derivatives and Futures Committee, which touched on the regulation of cryptocurrencies, including statements that decentralized finance (DeFi) are implicated by securities laws
the letter from Sen. Elizabeth Warren, D-Mass., to Chair Gensler requesting further information about the SEC’s authority to regulate cryptocurrency exchanges
recent actions by state securities regulators against the financial services platform BlockFi related to a digital asset lending program alleging that these products are unregistered securities offerings
the SEC settlement with Coinschedule, which operated a token-offering website and failed to disclose the compensation it received from token issuers in violation of antitouting provisions
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Lilya Tesslerhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngLilya Tessler2021-07-27 11:46:522023-09-07 12:49:39Enhanced Focus on Digital Asset Intermediaries by SEC, Congress, and State Securities Regulators
UK Government Publishes UK Approach to International Transfers, Including Data Adequacy
On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner. (more…)
William RM Long
London
wlong@sidley.com
Eleanor Dodding
London
edodding@sidley.com
SEC Continues Focus on Cybersecurity Disclosure Failures, Announces Settled Charges Against Pearson plc
Through its announcement of settled charges against Pearson plc (Pearson) on August 16, 2021, the U.S. Securities and Exchange Commission signaled its continued, high level scrutiny of companies’ public statements related to data security incidents.1 Without admitting or denying the SEC’s findings, Pearson agreed to a cease and desist order (Order) and to pay a $1 million penalty.2 The SEC’s Pearson Order follows its June 2021 announcement that it had settled charges against First American Title Insurance Company (First American) for cybersecurity disclosure control failures.3 Together, the Pearson and First American actions underscore the SEC’s increasingly vigorous enforcement efforts on disclosure control violations related to cybersecurity issues, in particular vulnerabilities that expose sensitive customer information and data breaches. (more…)
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Stephen L. Cohen
Washington, D.C., Boston, ...
scohen@sidley.com
Sujit Raman
Geeta Malhotra
Chicago
gmalhotra@sidley.com
Michael R. Roberts
Laura Sorice
New York
lsorice@sidley.com
Sara B. Brody
San Francisco, Palo Alto
sbrody@sidley.com
UK ICO Opens Consultation on Data Transfer Agreements and Guidance
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
FFIEC Guidance on Authentication and Access to Financial Institution Services and Systems
On August 11, 2021, the Federal Financial Institutions Examination Council (FFIEC)1 issued guidance establishing risk management principles and practices to support the authentication of users accessing a financial institution’s information systems and customers accessing a financial institution’s digital banking services (the Guidance). The Guidance is not intended to serve as a comprehensive framework but rather provides financial institutions with examples of effective risk management practices without endorsing any specific information security framework or standard.
(more…)
David E. Teitelbaum
Washington, D.C.
dteitelbaum@sidley.com
Joel D. Feinberg
Washington, D.C.
jfeinberg@sidley.com
Michael D. Lewis
Washington, D.C.
michael.lewis@sidley.com
Thomas G. Ward
Washington, D.C.
tgward@sidley.com
Upcoming TPI Panel: What Have We Learned About Privacy from the Pandemic, and What Does it Mean Going Forward?
Please join us for a panel discussion titled, “What Have We Learned About Privacy from the Pandemic, and What Does it Mean Going Forward?” at the Technology Policy Institute (TPI) 2021 Aspen Forum on Monday, August 16. In addition to the COVID-19 pandemic and its impact on data privacy, the panel will discuss privacy legislation, the Biden Administration and Federal Trade Commission (FTC), Schrems, and disruptive technologies.
(more…)
Data Matters Contributors
sidleyprivacyblog@sidley.com
Connecticut Strengthens Data Breach Notification Requirements and the Uniform Law Commission Approves and Recommends Comprehensive and Uniform State Privacy Legislation
In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Laura Sorice
New York
lsorice@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
West Coast, East Coast, and Now Mountains, Too: Colorado Joins the Comprehensive State Privacy Law Club
With the U.S. Congress continuing to stymie federal omnibus privacy legislation, states have decidedly taken up the call. Most recently, on July 8, 2021, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA). With the signing of the CPA, which will largely go into effect on July 1, 2023, Colorado became the third state to enact comprehensive privacy legislation following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Other states have taken a more limited approach, most notably Nevada, which increased the scope of the right to opt out of personal data sales under its targeted privacy law.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Clayton G. Northouse
Lauren Kitces
Washington, D.C.
lkitces@sidley.com
Michael R. Roberts
Amisha Gandhi
San Francisco
amisha.gandhi@sidley.com
Enhanced Focus on Digital Asset Intermediaries by SEC, Congress, and State Securities Regulators
Given the substantial growth in digital asset investments this year, intermediaries offering trading and lending services are now the target of regulatory and enforcement focus that we expect will continue in the coming months and years. Recent examples of this increased scrutiny of digital asset service providers and intermediaries include
(more…)
Lilya Tessler
Dallas, Miami
ltessler@sidley.com
Daniel Engoren
Upcoming Events
Resources
Meet the Team
Kwaku A. Akowuah
kakowuah@sidley.com
Sheila A.G. Armbrust
sarmbrust@sidley.com
Francesca Blythe
fblythe@sidley.com
Colleen Theresa Brown
ctbrown@sidley.com
John M. Casanova
jcasanova@sidley.com
Thomas D. Cunningham
tcunningham@sidley.com
Sharon R. Flanagan
sflanagan@sidley.com
David A. Gordon
dgordon@sidley.com
Tomoki Ishiara
tishiara@sidley.com
Robert D. Keeling
rkeeling@sidley.com
Amy P. Lally
alally@sidley.com
David C. Lashway
dlashway@sidley.com
William RM Long
wlong@sidley.com
Joan M. Loughnane
jloughnane@sidley.com
Geeta Malhotra
gmalhotra@sidley.com
Glenn G. Nash
gnash@sidley.com
Rollin A. Ransom
rransom@sidley.com
Alan Charles Raul
araul@sidley.com
Jennifer B. Seale
jseale@sidley.com
Yuet Ming Tham
ytham@sidley.com
Jonathan M. Wilan
jwilan@sidley.com
John W. Woods Jr.
jwoods@sidley.com