On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-02.jpg607833Alan Charles Raulhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngAlan Charles Raul2022-12-06 11:55:072023-02-08 11:04:41NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations
On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.
States and Congress have been enacting or debating different approaches to online “content moderation” by social media and other internet platforms. California’s “Content Moderation Requirements for Internet Terms of Service” bill (“AB 587”) goes into effect on Jan 1, 2024. In short, AB 587 requires social media companies to disclose their processes to take down or manage content and users on their platforms. AB 587 takes a somewhat different approach to social media content regulation than previously enacted laws in Texas and Florida. (more…)
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Kwaku A. Akowuahhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngKwaku A. Akowuah2022-11-23 13:38:452023-01-18 18:47:06New California Law Adds to Complexity of Content Moderation
The ninth edition of The Privacy, Data Protection and Cybersecurity Law Review provides a global overview of the legal and regulatory regimes governing data privacy and security, and covers areas such as data processors’ obligations, data subject rights, data transfers and localization, best practices for minimizing cyber risk, public and private enforcement, and an outlook for future developments. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-14.jpg607834Alan Charles Raulhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngAlan Charles Raul2022-11-22 10:43:182023-02-08 16:26:05The Ninth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Now Available
On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.
The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms” and will be working toward avoiding regulations that could be “rigged in favor of some players over others.” Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/10/MN-18359_Data-Matters_833x606-16.jpg607834John K. Van De Weerthttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngJohn K. Van De Weert2022-11-08 09:02:222023-02-08 16:27:05CFPB Begins Rulemaking on Data Access and Portability
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months. However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear. Now, the Department of Health and Human Services is seeking to provide clarity. (more…)
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Colleen Theresa Brownhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngColleen Theresa Brown2022-11-02 14:33:512022-11-04 09:25:37HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA
Broker-Dealers and Investment Advisers Should Double-Check Their “Identity Theft” Programs: SEC Division of Examinations Issues Risk Alert on SEC’s Identity Theft Red Flags Rule, Regulation S-ID
On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
John I. Sakhleh
Washington, D.C.
jsakhleh@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations
On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.
(more…)
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Vishnu Tirumala
Washington, D.C.
vtirumala@sidley.com
Drizly FTC Order Introduces Significant Minimization, Deletion and Retention Requirements
On October 24, 2022, the Federal Trade Commission (“FTC”) issued an order (the “Order”) against the online alcohol marketplace, Drizly, and its CEO, James Cory Rellas, alleging security failures that resulted in a data breach exposing the personal information of approximately 2.5 million consumers. In reaching this conclusion, the FTC alleges that Drizly failed to implement reasonable safeguards to protect the personal information it collected and stored, such as, two-factor authentication for GitHub, access controls for personal data, sufficient written security policies, and appropriate employee training regarding security.
(more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Lauren Kitces
Washington, D.C.
lkitces@sidley.com
Carly R. Owens
New York
cowens@sidley.com
New California Law Adds to Complexity of Content Moderation
States and Congress have been enacting or debating different approaches to online “content moderation” by social media and other internet platforms. California’s “Content Moderation Requirements for Internet Terms of Service” bill (“AB 587”) goes into effect on Jan 1, 2024. In short, AB 587 requires social media companies to disclose their processes to take down or manage content and users on their platforms. AB 587 takes a somewhat different approach to social media content regulation than previously enacted laws in Texas and Florida. (more…)
Kwaku A. Akowuah
Washington, D.C.
kakowuah@sidley.com
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
Ash Nagdev
Palo Alto
anagdev@sidley.com
Nayef Andrabi
Palo Alto
nandrabi@sidley.com
Amisha Gandhi
San Francisco
amisha.gandhi@sidley.com
The Ninth Edition of The Privacy, Data Protection and Cybersecurity Law Review is Now Available
The ninth edition of The Privacy, Data Protection and Cybersecurity Law Review provides a global overview of the legal and regulatory regimes governing data privacy and security, and covers areas such as data processors’ obligations, data subject rights, data transfers and localization, best practices for minimizing cyber risk, public and private enforcement, and an outlook for future developments. Several lawyers from Sidley’s global Privacy and Cybersecurity practice have contributed to this publication. See the chapters below for a closer look at this developing area of law.
(more…)
Alan Charles Raul
Washington, D.C., New York
araul@sidley.com
William RM Long
London
wlong@sidley.com
Yuet Ming Tham
Singapore, Hong Kong
ytham@sidley.com
Linh Lieu
Hong Kong
linh.lieu@sidley.com
Tomoki Ishiara
Tokyo
tishiara@sidley.com
Margaret Allen
Singapore, Dallas
margaret.allen@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Lester Fung
Hong Kong
lester.fung@sidley.com
João D. Quartilho
Brussels
jquartilho@sidley.com
Faraaz Amzar
Singapore
faraaz.amzar@sidley.com
European Commission Publishes Draft Cyber Resilience Act
On 15 September 2022, the European Commission (“Commission” or “EC”) published a draft proposal for a Cyber Resilience Act (“CRA” ). The CRA comes in response to the increasingly common occurrence of cyberattacks, with some predicting that the global cost of cyberattacks for companies will reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. The CRA promises to transform the European cybersecurity landscape by harmonizing and bolstering cybersecurity rules across all technologies with “digital elements.” The Commission is currently inviting public feedback on the CRA through 18 November 2022. The CRA will then pass through the European Parliament for debate and for amendments to be proposed.
(more…)
William RM Long
London
wlong@sidley.com
Subhalakshmi Kumar
London
skumar@sidley.com
Eleanor Oates
London
eoates@sidley.com
CFPB Begins Rulemaking on Data Access and Portability
The Consumer Financial Protection Bureau (CFPB) on October 27, 2022 took the long-anticipated first step to issue a regulation implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This followed a preview by CFPB Director Rohit Chopra at the Money 20/20 conference on October 25 in which he outlined the “CFPB’s new approach to regulation,” which is designed to create “catalysts for more competition.” With respect to Section 1033, Director Chopra said that the CFPB is “exploring safeguards to prevent excessive control or monopolization by one, or even a handful of, firms” and will be working toward avoiding regulations that could be “rigged in favor of some players over others.” Director Chopra’s focus on competition as an essential element of consumer protection has been a hallmark of his directorship.
John K. Van De Weert
Washington, D.C.
jvandeweert@sidley.com
Thomas G. Ward
Washington, D.C.
tgward@sidley.com
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Kerry Nilsen
Washington D.C.
knilsen@sidley.com
Joel D. Feinberg
Washington, D.C.
jfeinberg@sidley.com
HHS Office for Civil Rights Releases Webinar on Recognized Security Practices: Provides Guidance on Mitigating Potential Violations of HIPAA
Pursuant to legislation passed in 2021, covered entities and business associates subject to HIPAA and facing potential regulatory enforcement may receive some credit lessening to reduce enforcement penalties if they had implemented Recognized Security Practices (RSPs) within the prior 12 months. However, what may constitute RSPs and how a covered entity or business associate can demonstrate implementation of RSPs to receive such credit had not been clear. Now, the Department of Health and Human Services is seeking to provide clarity. (more…)
Colleen Theresa Brown
Washington, D.C.
cbrown@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Upcoming Events
Privacy and Cybersecurity Roundtable
Resources
Meet the Team
Kwaku A. Akowuah
kakowuah@sidley.com
Sheila A.G. Armbrust
sarmbrust@sidley.com
Francesca Blythe
fblythe@sidley.com
Colleen Theresa Brown
ctbrown@sidley.com
John M. Casanova
jcasanova@sidley.com
Thomas D. Cunningham
tcunningham@sidley.com
Tomoki Ishiara
tishiara@sidley.com
Amy P. Lally
alally@sidley.com
David C. Lashway
dlashway@sidley.com
Linh Lieu
linh.lieu@sidley.com
William RM Long
wlong@sidley.com
Joan M. Loughnane
jloughnane@sidley.com
Geeta Malhotra
gmalhotra@sidley.com
Alan Charles Raul
araul@sidley.com
Sean Royall
sroyall@sidley.com
Jennifer B. Seale
jseale@sidley.com
Yuet Ming Tham
ytham@sidley.com
John K. Van De Weert
jvandeweert@sidley.com
Jonathan M. Wilan
jwilan@sidley.com
John W. Woods Jr.
jwoods@sidley.com